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Microsoft System Center is a family of 
IT management solutions (including Operations 
Manager and Systems Management Server) 
designed to help you manage your mission- 
critical enterprise systems and applications. 

Nissan manages 56,500 PCs on three continents 
with System Center. That's big. See Nissan and 
other case studies at DesignedForBig.com 
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ADVERTISEMENT 


The Key to Maximum Performance and 
Reliability for Windows Vista" and Beyond 



Diskeeper's interface shows fragmentation levels and relative 
locations of all the files and folders on the selected volume. 


A SPECIAL REPORT 

W indows Vista has finally arrived, and 
reviewers are hailing it as the best 
OS Microsoft® has ever built. For 
corporations, it boasts robust features such as 
greatly improved security, a wholly new and 
highly versatile user interface, significantly 
simplified software deployment, and broad 
backwards-compatibility. While it may not 
happen right away, most if not all Windows®- 
central enterprises will want to make the move 
to Windows Vista. 

Defragmentation Technology— 
Time for a Change 

It's well known that a high number of sys¬ 
tem slows, crashes, and even file corruption 
and errors can be traced to file fragmentation. 1 
File fragmentation puts your system perform¬ 
ance and reliability in serious jeopardy. It's no 
surprise, then, that substantial performance 
gains from defragmenting, in the range of 
90%, have been documented. 2 

But it's not only the decision to defragment 
your systems that makes the difference. The 
choice of defragmentation technology, both 
before and after your move to Windows Vista, 
is crucial. 

The sheer scope and activity of computer 
systems today has made even scheduled 
defragmentation, once "state of the art," obso¬ 
lete. Disks and files once measured in kilobytes 
and megabytes are now measured in giga¬ 
bytes and terabytes, and the sheer number of 
files has increased tremendously. Testing has 
shown that scheduled defragmentation can¬ 
not keep pace; between defragmenter runs, 
fragmentation simply builds up and continues 
to negatively impact performance. 3 

The True Solution to Maximum 
Performance and Reliability 

Only a completely automatic defragmenta¬ 
tion solution such as Diskeeper 2007—released 
just in time for Windows Vista—will truly keep 
pace with the ever-expanding capacity and 
intense activity on today's disks. Instead of pro¬ 
viding partial benefit when defragmentation 
runs occur, all applications and all files benefit 
from increased performance all the time. 

With its proprietary breakthrough Invisi- 
Tasking™ technology, Diskeeper 2007 defrag¬ 
ments and enhances file systems in real-time, 
with no scheduling needed. Defragmentation is 
now performed on-the-fly, with no performance 


hit on system resources. Your system is consis¬ 
tently faster and more reliable with Diskeeper 
2007—period. In testing against scheduled 
defragmentation, which leaves fragmented files 
behind after running, Diskeeper 2007 consis¬ 
tently eliminates fragmentation to continuously 
provide maximum performance and reliability. 3 
Take advantage of our free 45-day trial and see 
for yourself. 

Plus, Diskeeper 2007 includes Intelligent File 
Access Acceleration Sequencing Technology 
(l-FAAST™) 2.0, specifically designed to deliver 
increased performance, speed and reliability 
above and beyond defragmentation benefits. 

Be Completely Ready for 
Windows Vista 

With its stunning GUIs, Windows Vista 
brings a whole new level of operation to com¬ 
puter interaction. Because of its graphical 
nature, and its support of an ever-widening 
variety of graphical and video-based pro¬ 
grams, enormous files and high-capacity disks 
are the norm. Smooth, fast access to these files 
is vital, especially with applications such as 
business conferencing and video presenta¬ 
tions. Additionally, Windows Vista utilizes con¬ 
siderable resources, and it is vital that applica¬ 
tions offering better performance not drain 
resources from an already taxed pool. 

If scheduled defragmentation cannot keep 
up with current system demands, it will be 
completely lost with Windows Vista. Deploying 
Diskeeper's real-time defragmentation right at 
Vista deployment means that peak perform¬ 
ance and reliability are part of the package, 
and one less headache for an already-over¬ 
worked system administrator. 


With Windows Vista, disk 
activity on servers also reaches 
new demanding heights —and 
Diskeeper Server and Diskeeper 
EnterpriseServer versions are 
right there with advanced tech¬ 
nologies such as Terabyte Volume 
Engine™ 2.0, especially designed 
for fast defragmentation on the 
highest capacity servers. 

Diskeeper's automatic defrag¬ 
mentation is vital during the move 
to Windows Vista as well. 
Deployment of a new OS is no 
mean feat—it means hardware 
upgrades, changes and revisions 
in policy, verification of legacy 
support, carefully controlled soft¬ 
ware deployment, and a long list of other vital 
tasks performed while continually extinguish¬ 
ing fires and maintaining current networks. 
The last things you need during such an evolu¬ 
tion are reliability and performance problems 
from your current systems such as slowed disk 
access and response times. 

And since Diskeeper 2007 already runs on 
Windows Vista, the licenses you buy now will 
be with you every step of the way, all the way 
into and beyond the move to Windows Vista. 

Automatically maximize your system 
performance and reliability now and put disk 
performance problems behind you—for 
Windows Vista and beyond. 


Diskeeper. 

Maximizing Performance and Reliability ™ 0007 

— Automatically!™ ■ 


Special Offer 


Try Diskeeper 2007 FREE for 45 days! 

Download: www.diskeeper.com/itpro4 

(Note: Special 45-day trialware is 
only available at the above link) 

Volume licensing and Government / Education 
discounts are available from your favorite 
reseller or call 800-829-6468 code 4417 


For test results, white papers and case studies, 
visit www.diskeeper.com/itpro4doc 

1 File Fragmentation White Paper 
2 Article: The Impact of Disk Fragmentation, WindowsITPro 
3White Paper: Is Real-Time Defrag Needed? 
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“Right-Sizing Your 
Log-Management Solution” 

I n this on-demand Web seminar, log-management expert 
Randy Franklin Smith discusses how your organization can 
get the most out of its log-management investment. Randy will 
talk about key requirements, architectural differences, and risks 
to watch for as you spec out your requirements and design. 

http://www.windowsitpro.com/go/webseminar/Prism/ 

rightsizing/?code=citcspt 


“The Web Isn’t 
Fun Anymore” 

T he Internet is obvi¬ 
ously a necessary 
tool for business. How¬ 
ever, it has a dark side. 

This white paper exam¬ 
ines cutting-edge tech¬ 
nology that can help 
you prevent infections 
and guard against zero- 
day attacks. 

http://www.windowsitpro.com/go/wp/ 

websense/threats/?code=citcspt 



COMING 

SOON! 


Don’t miss out on our forthcoming 
on-site and virtual events, 
covering Microsoft Exchange Server, 
SharePoint, virtualization, 
business intelligence (Bl), and 
more—starting this month! 

http://www.windowsitpro.com/events 


“KVM over IP 
Management for 
the Distributed IT 
Environment” 

VM switches are valu¬ 
able server-management 
tools. But in today’s distrib¬ 
uted IT environment, they 
have many weaknesses. This 
paper discusses the com¬ 
plexities of managing the dis¬ 
tributed data center and highlights the 
advantages of using a KVM over IP solu¬ 
tion that delivers flexible, scalable, and 
affordable CAT5-based remote access. 

http://www.windowsitpro.com/go/wp/ 

lantronix/KVM/?code=citcspt 


“Preparing to Upgrade to 
Exchange 2007” 

M oving to Exchange 2007? Check 
out these tips to help ease the tran¬ 
sition. Alan Sugano explains how upgrad¬ 
ing to Microsoft Exchange 2007 from 
Exchange 2003 and earlier is “as big of a 
jump as it was migrating from Exchange 
5.5 to Exchange 2000.” 

http://www.windowsitpro.com/Articles/ 

ArticlelD/96565/96565.html 




The Missing Link to IT Resources 

O ur staff is excited about creat¬ 
ing online resources to help you 
do your job and get involved in your 
community. We even have meetings 
about it—brainstorming and every¬ 
thing. Take a look at these develop¬ 
ments on our Web sites, and try to not 
get your job done faster when using 
them. Just try it. 

Windows Excavator 

Windows Excavator is our vertical 
search engine for Microsoft technol¬ 
ogy and news. You can try a general 
advanced search, search by predefined 
topics, and even suggest other helpful 
sites that might be missing from the list. 
Sometimes, I’ll do the “vertical worm” 
out on the dance floor, but don’t get that 
confused with this search. This tool is 
way more useful than my sweet moves. 
http://www.winexcavator.com 

Blogs, Blogs, Blogs 

What kind of blog do you need? I bet 
we’ve got it. We’ve added a few new 
ones recently that cover even more 
topics that affect your daily job. Two 
of my favorites are: 

IT 911: Experts and Resources on 
Critical Issues as They Happen 

When you need a single place to get 
all the information on a situation that 
could affect your network, make IT 911 
your first and last stop. 

Fearless Security: Life in the InfoSec 
Industry; Tales from Outside the 
Firewall 

No-holds-barred discussion and 
commentary on security and other IT 
matters. 

http://www.windowsitpro.com/blog 
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tools4ever 


User Account Management automated 
at CentraState Healthcare 


CentraState Healthcare System recently embarked on a project to find a secure and automated method for managing user account 
lifecycle in Active Directory and Exchange for their employees at six locations. When the search started, CentraState IT staff was 
managing the process manually utilizing Microsoft Active Directory Users and Computers. 

The reasons for automating the process were as follows: 

• Seamlessly manage User accounts by linking with the Lawson Human Resource application for new hires and 
terminations and avoid manual intervention. 

• A need for the account name and other relevant information in Lawson. 

• Easily create Users in the proper Organizational Unit based on location and department and avoid errors. 

• Create email accounts on the proper server/store based on location. 

• Immediate disabling of user accounts upon termination for greater regulatory compliance. 

CentraState selected the Tools4ever User Management Automation module along with professional services to complete the bi¬ 
directional link between Lawson and Active directory. 

About the Solution 

As employees are hired by CentraState, their pertinent information is entered into the Lawson HR system that currently runs on an 
IBM /-series (AS 400) computer. Conversely, as employees resign, a termination date is placed in the HR system. 

On a regularly scheduled basis, the User Management application starts a query to capture all employee data and begin the 
process of updating Active Directory. If the account already exists in AD, any updates, such as name, location or department changes 
are appropriately processed. If the account does not exist, it is created along with an Exchange mailbox, home directory and 
assigned to the appropriate Group Profiles based on job title and department. If the employee start date is in the future, the account 
is created but put in a disabled state until the date is reached when it is activated. 

CentraState's naming requirements for both Active Directory and Exchange mailboxes were handled automatically by the 
application as were the iterations required, when necessary, for uniqueness. Business logic was also defined within the product to 
allow the automatic placement of users into the correct OU based upon their specific location and department. This location and 
department information is also utilized to insure mailboxes are created within the proper server and store. When an employee 
termination occurs, the information is processed by User Management and accounts are appropriately disabled on the date and 
then deleted after a specific period of time has passed. 

Information that is created during the Active Directory processing, such as User Account Name and e-mail address, is fed back to 
the Lawson database twice a day. This is done to insure that Lawson is accurate information when anything has changed in Active 
Directory without requiring manual intervention. 

Advantages 

Approximately 2 weeks after commencement, the entire project was implemented and operational. The reduction in time spent by 
the staff managing user account lifecycle was tremendous. Commenting on the project, Mark Handerhan, IT Manager, stated, " The 
Tools4Ever implementotion was one of the most highly valuable, cost effective solutions that I've ever implemented. We have taken 
the manual intervention out of the equation for many mundane AD /user tasks , such as disabling network accounts. User accounts 
are now disabled in real-time once terminated in Lawson. This provides us with a greater level of network security , while also 
assuring compliance with industry standard regulations such as HIPAA. " In summary, the IT staff at CentraState can spend more 
time on mission critical support and planning while eliminating the requirements to spend time on routine user account tasks. 



About CentraState 

CentraState Healthcare System is a non-profit community 
health organization consisting of an acute-care hospital, 
three senior living centers, a health education and activities 
center, a family medicine residency program, and a 
charitable foundation. It is a member of the Robert Wood 
Johnson Health Network and a clinical research affiliate of 
The Cancer Institute of New Jersey. 


About Tools4ever 

Tools4ever offers quality and scalable productivity 
solutions for the Windows 2000/2003 system administrator 
with the main focus on User Provisioning and Life Cycle 
management, Identity Management, Active Directory 
management and employee self service. 

Tools4ever, Inc. 516.482.4414 www.tools4ever.com 

















IT Pro Perspective 


Microsoft’s Software Plus Services Strategy 

A grand unification 


S teve Ballmer has been repeating himself lately. He 
keeps saying Microsoft "grew up as what people like 
to call a desktop company. To this day, I'm not sure 
I know what a desktop company is, but I know we were a 
desktop company." Ballmer's uncertainty is disingenuous 
given that Microsoft's mission statement was "A PC on every 
desktop and in every home." But his assertion leads his lis¬ 
teners to acknowledge that Microsoft has a track record of 
diversification that proves a desktop company can conquer 
the enterprise. Ballmer is neatly laying the foundation for 
people to accept that Microsoft is prepared to change its 
business model again and overtake "Web 2.0" competitors 
such as Google an d Salesforce.com. Ballmer's term for this 
new competitive model is "Software Plus Services" (my 
emphasis). But beyond addressing competitors that offer 
Software as a Service (SaaS), Ballmer's term goes directly to 
the heart of the real competitive challenge Microsoft faces: 
howto protect and grow Microsoft's huge software revenue 
while finding a way to monetize Web-based services. 

Microsoft vs. Microsoft 

How can Microsoft avoid competing with itself as the 
company takes on SaaS? All indications are that SaaS has 
galvanized the company around a strategy that amounts 
to a grand unification of Microsoft's disparate products. 
The company isn't looking solely at providing services 
to go along with all of its software—as, for example, with 
Exchange Server and Outlook Client on the software side, 
Outlook Web Access (OWA) on the service side, Outlook 
Mobile as a device form factor, and Outlook Voice Access 
on the Unified Communications (UC) side. Doing so is 
a given: Chris Jones, corporate vice president, Windows 
Live Experience Program Management, has said, "Looking 
ahead five years we believe every piece of software could 
come with a service and that customers will come to expect 
that." Nor do I think Microsoft is simply creating a business 
model for subscription services such as Windows Live and 
Microsoft Dynamics, or just getting serious about advertis¬ 
ing revenue, or even hosting business-critical technologies 
such as Exchange. 

Rather, I think the key to Microsoft's "grand unification" 
is indicated by the four pillars of Software Plus Services 
that Ballmer has been touting in such remarks as, "[T]he 
only model that will be able to really supersede where we 
are today, needs to bring together the best of four very dif¬ 
ferent phenomenon [sic]: the best of the desktop PC world; 
rich user interface; offline and online access; what I call 
personal integration, the ability to bring things together and 


integrate them and store them and manage them and link 
them together in unique and arbitrary ways, not restricted 
to what somebody will let you do on some server or some 
service." 

Integrate, Manage, Store, Link 

You can see how Ballmer's four pillars translate into Micro¬ 
soft unification if you think about the initiatives generating 
the most momentum within Microsoft: integration (e.g., 
Office as a front end for business applications and business 
intelligence—BI), management (System Center becom¬ 
ing the ubiquitous management paradigm—both as a 
brand and as an integrated component of products such 
as Forefront and, soon, SQL Server), storage (SharePoint, 
SQL Server, and storage per se), and linkage (UC bringing 
together all communication at the PC)—and I'm not even 
touching on the developer side of all this. 

Explicitly, Ballmer has said, "We're building out a ser¬ 
vice-based infrastructure, not server by server, but new 
management model, new development model, new stor¬ 
age, networking, computation model from the get-go. On 
top of this new platform, the cloud infrastructure services, 
we're also building directory services, rendezvous, device 
management, the kinds of things that we deliver to you 
today in our packaged products." 

Strategic Direction? 

It's always amazed me that Microsoft could never manage 
to determine a strategic direction for the entire company. 
Could it be that the company finally figured out how to 
move itself forward under a coherent strategy that con¬ 
tinues to produce software revenue but also creates new 
revenue streams? 

Commenting on Software Plus Services, Paul Thurrott 
recently wrote, "The real surprise, of course, is that the 
company honestly has no idea how it's going to make it all 
work yet. Yesterday, Microsoft CEO Steve Ballmer said they 
would need 3-10 years, depending on the product, to make 
this transition" (Winlnfo Short Takes: "Week of July 30," July 
27, 2007, InstantDoc I D 96662. ) I respectfully disagree with 
my colleague and friend Paul. I believe Ballmer's time frame 
refers to how long it will take to put together the pieces of 
the grand unification strategy. 

But then, this is Microsoft. By the time this article is pub¬ 
lished, the company might be on a completely new path. Let 
me know where you see the company moving. ^ 

InstantDoc ID 96673 
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.INFRASTRUCTURE LOG 


_DAY 84: Feeling really disconnected. We’re not getting the 
most out of our existing assets. Service and application 
integration is a nightmare. Our connections are 
restrictive. We’ve got to stop working on these islands. 

.Please rescue me from this lack of connectivity. 

.DAY 87: I’ve taken back control with IBM WebSphere solutions. 
Now we can service-enable and connect our existing 
assets for mission-critical goals. We can reuse existing 
applications and save money by eliminating redundant 
systems. Now we’re ready for any SOA integration project. 

.Plus, no more jellyfish stings. 


Download the enterprise service bus white paper at: 

IBM.COM/TAKEBACKCONTROL/CONNECT 
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No Pressure, VMM 

Karen Forster got it right with IT 
Pro Perspective: "Virtual Machine 
Manager's Significance" (June 2007, 
InstantDoc I D 95994) . Until now, Tve 
only attempted to virtualize servers 
that don't require a lot of processing 
power. With quad-core processors 
becoming available from both AMD 
and Intel by the end of the summer 
and Microsoft Virtual Server R2 
SP1 taking advantage of the per¬ 
formance-boosting technology in 
the new processors, the only thing I 
plan to leave on their own boxes are 
heavily used terminal servers and 
maybe SQL Server. (I'll be upgrading 
to Microsoft SQL Server 2005 next 
year and will try it virtualized first.) 

If Microsoft doesn't do well with 
Virtual Machine Manager (VMM) 
before this virtual machine explo¬ 
sion takes off, I expect it will get shut 
out by VMware, especially in larger 
companies that are going to require 
a good management tool. 

—Nate McAlmond 


Disappointed in 
Exchange Article 

I was quite excited to read Brien 
Posey's Required Reading article, 
"Configuring Exchange Server 2007" 
(July 2007, InstantDoc I D 96044) . 
Because I'm in the middle of a global 
implementation of Exchange 2007, 
every tip and trick are welcome, and 
with that in mind, I found the article 
to be sad and disappointing reading. 
The article is a simple walk-through 
of the guide the console presents, 
and it didn't even point out the 
main problems you will meet by 
following the guide. These issues are 
connected to the fact that Exchange 
2007 extensively uses Secure Sockets 
Layer (SSL) for client communica¬ 
tions and has started using a hard¬ 
coded host name of autodiscover 
.yourdomain.com for configuration 
of Outlook 2007. Without using this 
host name as a valid DNS name on 
the SSL certificate, the configuration 
will not work. Further, all the com¬ 



mercial Certificate Authorities (CAs) 

I have tried require that the certificate 
request contain values for subject 
and country. The instructions in the 
article for creating a request don't use 
these values. Finally, the arti¬ 
cle doesn't 
mention that 
Exchange 
2007 requires 
a certificate 
with an 
extended set 
of properties, 
to allow more 
than one host 
name within the 
same certificate. 

—Thor Milde 


Symantec's product in his review 
because it didn't fit the review's 
scope: "products that offer central, 
policy-based management of desk¬ 
tops and servers." Is this correct, or 
was there another reason 
for not testing Symantec's 
product? 

—Magnus Bostrom 

I approached Symantec 
about participating in this 
comparative review, and 
the company declined. 
Considering Symantec's 
prominence in the 
market , I would have 
preferred to include its 
product in my review. 

—John Green 


EDITOR’S 

NOTE 

Windows IT Pro welcomes 
feedback about the maga¬ 
zine. Send comments to 
letters@windowsitpro.com, 

and include your full name, 
email address, and daytime 
phone number. We edit all 
letters and replies for style, 
length, and clarity. 


Thank you for your feedback, Thor. 
Required Reading articles are intended 
to provide basic-level information for 
readers who don't have the depth of 
experience that you obviously pos¬ 
sess. We try to cover a broad range 
of Exchange topics both in Windows 
IT Pro and on our Exchange & Out¬ 
look Pro VIP Web site. One example 
is the article "My Exchange Server 
2007Migration Story," an Exchange 
administrator's account of his 
Exchange Server 2007 deployment. 

You can access this article for free on 
the Exchange & Outlook Pro VIP site 
a t http://www. exchangeprovip. com 
with InstantDoc I D 95906. 

—Brien Posey 


Where’s Symantec? 

I read John Green's "Policy-Based 
Management of Desktop Antivirus 
Products" (May 2007, InstantDoc ID 
95568) . It's a very good article. The 
management side of antivirus isn't 
always looked at; other concerns 
usually come first, but if you don't 
have a good way of managing the 
product, you won't have good secu¬ 
rity, regardless of how well the antivi¬ 
rus client finds viruses. 

Several of my customers are run¬ 
ning Symantec antivirus software. I'd 
like to think that John didn't include 


Batch-File Solution 
Logoff Script 

Many thanks to Michael Dragone for 
solving my problem in Anne Grubb's 
"It's 10:00 P.M.: Do You Know Who's 
Logged On?" (June 2007, InstantDoc 
I D 95922) . Unfortunately, the "excerpt" 
of Michael's script that I downloaded 
(i.e., the logon script) is the only piece I 
already had. Can he provide the logoff 
script, and explain howto execute it? I 
just can't figure that part out. I do vol¬ 
unteer work for a couple of non-prof¬ 
its, and we really need this code. 

—Gil Brand 

Sure, Gil, I'm happy to help out. The 
logoff script looks like this: 

echo %username% Logged out on 
%date% at %time%. » 
\\SERVERNAME\Audit\Clients\ 
%computername%.txt 
echo Logged out of %computername% 
on %date% at %time%. » 
\\SERVERNAME\Audit\Users\ 
%username%.txt 

Save this as a batch file and run it 
from a Group Policy Object (under 
User Configuration>»Windows Set- 
tings»>Scripts (Logon/Logoff)). ^ 

—Michael Dragone 

InstantDoc ID 96677 
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Only Ninja Email Security has a dedicated image-spam detection engine 

Image spam plays by different rules, designed to defy the old standard antispam practices that the other guys still try to use. 
Only Ninja Email Security for Exchange gives you a dedicated engine designed to beat image spam at its own game, and kill it. 

Mutation-proof: In addition to its own image-spam engine, 

Ninja leverages the built-in Cloudmark engine to “fingerprint” 
image spam. Even if images mutate from one day to the next, the 
fingerprints don’t. This one-two punch is murder on text spam too. 

Ninja is the all-in-one, best-of-breed, third- 
generation email security solution: Ninja’s plug in 
architecture integrates policy-based antispam, antivirus, attach¬ 
ment filtering, and disclaimer modules on your Exchange server. 

Policy-based control: Ninja’s extensive policy creation 
capabilities help ensure messages are handled properly according 
to your company’s business processes and security policies. 

SMART™ attachment filtering:* Ninja has the first policy-based attachment filter. It polices attachments based on 
email direction - inbound, outbound or within the organization. Additionally, Ninja looks inside many types of files to see 
their true identity, rather than blindly trusting file extensions, which can easily be faked. 




Info Security Products Guidi 

CUSTOMER TRUST 


e 
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Dual-engine antivirus: Ninja combines the power of two high-quality AV engines: Authentium and BitDefender. 

Disclaimers: Ninja’s Disclaimer plug-in provides global and user-based disclaimers for all outbound email. You can 
configure policy-based disclaimers based on specific users, 
groups, domains, or public folders. 

Download your free evaluation copy at: 

www. sunbeltsoftware . com/ninjawin 



Sunbelt Software 


Email sales@sunbeltsoftware.com or call 1-888-688-8457 
for your 50% discount competitive upgrade offer 


SunbeltSoftware Tel: 1-888-688-8457 or 1-727-562-0101 Fax:1-727-562-5199 www.sunbeltsoftware.com sales@sunbeltsoftware.com 

^Suspicious Mail Attachment Removal Technology™ 

© 2007 Sunbelt Software. All rights reserved. Ninja Email Security and Suspicious Mail Attachment Removal Technology are trademarks of Sunbelt Software. All trademarks used are owned by their respective companies. 

Competitive upgrade based on 50% of the Ninja list price. 










































What You Need to Know About... 

Instant Search Changes to Windows Vista SPI 


T he conventional wisdom is that Microsoft's historic 
antitrust battle with the US government and several 
states ended with a decided victory for the software 
giant: The 2002 settlement seemed biased in Microsoft's 
favor, and the consent decree seemed to require little of 
significance from the company. However, it's now clear that 
Microsoft is a changed company as a result of this battle, 
and its kinder and gentler persona in recent years suggests 
that the settlement has had the desired effect. 

Windows Vista is an obvious and recent example: In 
the months leading up to the completion of the OS in 2006, 
Microsoft made numerous concessions to competitors 
without being required to by the courts. What's amazing 
about this trend is that Microsoft is still making Vista con¬ 
cessions today. Most recently, it has agreed to change the 
Instant Search feature in the SPI update to the OS to quell 
complaints from Internet search giant Google. Here's what 
you need to know about the changes Microsoft is making to 
the Instant Search feature in Vista SPI. 

Google’s Complaint 

Google announced the first beta release of its own desktop 
search product, Google Desktop Search (GDS) in October 
2004, about a year after the 2003 Professional Developer 
Conference, at which Microsoft revealed its intention to 
include Instant Search in Vista. Google Desktop Search was 
designed to extend Google's popularity on the Internet to 
the PC desktop and provide a Google Internet Search-like 
experience with local files. (More recently, Google has 
shipped GDS versions for both Mac OS X and Linux as well.) 
Meanwhile, a number of other companies also shipped 
similar desktop search products, Apple's Spotlight feature in 
Mac OS X 10.4 being, perhaps, among the most well known. 
Even Microsoft got into the game: With Vista delayed again 
and again, the company shipped a free instant search add¬ 
on for Windows XP called Windows Desktop Search. 

About a month after Microsoft finalized Vista in Novem¬ 
ber 2006, Google complained to the Department of Justice 
(DOJ) about the Instant Search feature. What's interesting 
about this complaint is that the DOJ attempted to keep it 
quiet, and—most alarmingly—tried to coerce the US states 
against Microsoft in the antitrust case to ignore the com¬ 
plaint. Eventually, the states rebelled against this request 
because they feared that the complaint had merit and that 
Microsoft was once again up to its old tricks. The Google 
complaint became public in mid-2006. 

Why would the DOJ try to smother Google's complaint? 
Remember that the DOJ of today is very different from the 

www.windowsitpro.com 


Clinton administration department that sued Microsoft in 
the 1990s. Today, the DOJ is pro-business, and Microsoft is 
seen as one of America's shining success stories, especially 
given the philanthropic activities of Microsoft co-founder 
Bill Gates. The states felt that the Google complaint had 
merit, and some state attorneys general were ready to 
move against Microsoft on their own if the DOJ didn't get 
on board. Facing a mutiny, the DOJ reversed course and 
pledged to work with the states to convince Microsoft to 
address Google's concerns. 

Google's complaint is straightforward. The company 
believes that desktop search functionality in Windows should 
be treated like other middleware as defined by Microsoft's 
consent decree—that is, applications such as media play¬ 
ers, email clients, Web browsers, and IM solutions. Google 
argued that consumers and PC makers should be allowed 
to completely swap out Microsoft's built-in applications for 
third-party solutions. According to Google, the change would 
create a more competitive environment that would benefit 
users, PC makers, and third-party developers alike. 

Google also said that Vista's Instant Search feature 
had been designed so that third-party solutions, such as 
Google Desktop Search, no longer worked as well as they 
did in XP. The Instant Search indexer can't be turned off, 
for example, and users who install Google Desktop Search 
will see system performance decline because two indexers 
are running simultaneously. Although it was possible to 
integrate Google Desktop Search into various UI points in 
XP—such as the Start Menu and Windows Explorer win¬ 
dows—it's not possible to do so in Vista. Microsoft, Google 
said, engineered Vista specifically to harm competitors. 

Microsoft’s Reply 

Microsoft's initial reply to these charges was predictable: 
Microsoft CEO Steve Ballmer called the complaint "base¬ 
less." But the company began working immediately with 
representatives from the DOJ and several states to hammer 
out a compromise. A few days after the Google complaint 
was first aired publicly, Microsoft announced that it would 
change the Instant Search behavior in Vista, starting with 
the release of Vista SPJ, which it said would ship in beta 
form by the end of 2007. 

Desktop search will indeed be treated like other middle¬ 
ware in Windows, per Google's request, allowing users and 
PC makers to choose third-party solutions. In such cases, 
the Instant Search indexer will still run, but at a lower pri¬ 
ority; a higher priority will be given to whatever third-party 
indexer is installed. 
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look at the Instant Search 
changes to Windows 
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Need to Know 


Microsoft will also modify the Vista Start 
menu so that users who install Google Desk¬ 
top Search or other solutions can access those 
solutions via the Search entry in the Start menu. 
In addition, Microsoft will modify Windows 
Explorer so that third-party desktop search 
providers can install a link to their products in 
these windows. However, the Instant Search 
box in Vista's Windows Explorer windows will 
remain, even when third-party solutions are 
installed. 

The DOJ and the states immediately 
accepted Microsoft's proposal and, together, 
presented them to Judge Colleen Kollar-Kotelly 
at a regularly scheduled June 2007 status meet¬ 
ing about the Microsoft antitrust case. Google, 
irked that it did not get to review Microsoft's 
changes before they were approved, repeat¬ 
edly petitioned the court for permission to 
comment. But Kollar-Kotelly noted that it was 
the DOJ and states, not Google, that repre¬ 
sented the public's interest in the case. Any 
complaints would need to go through those 
entities, not the court. 


Google is unlikely to ever approve of Micro¬ 
soft's changes, since they only partially address 
Google's original complaint. For example, 
Microsoft isn't providing a way to completely 
replace Instant Search, nor is Microsoft giving 
third-party developers access to the search 
boxes that already exist in Vista's Windows 
Explorer windows. This is a batde that will quite 
likely extend well beyond the release of SP J. 

Recommendations 

To date, Microsoft has been unusually reticent 
about discussing the features in Vista's first 
service pack, but some alarming trends are 
emerging that might threaten the long-held 
belief that enterprises should upgrade to a new 
Windows version only after the first service 
pack ships. Here's what we know: Vista SP1 will 
include a new kernel version aimed at bringing 
Vista up-to-date with the kernel Microsoft will 
ship in Windows 2008. The new kernel will also 
include major security changes brought about 
by late-2006 complaints from security ven¬ 


dors such as Symantec and McAfee. SPJ will 
include the Instant Search changes outlined 
here, as well as a host of other changes, most 
of which are still in various stages of rumor 
status. And that's the rub: Thanks to its new¬ 
found policy of secrecy, Microsoft has made 
something that should be transparent quite the 
opposite. For this reason, I recommend that 
enterprises that had expected to begin deploy¬ 
ing Vista at SPJ hold off until a future date: Too 
much is unknown about SPJ at this time, and 
too much is in flux, for anyone to make reliable 
deployment plans. 

I'm also calling on Microsoft to end the 
silliness and explain both its release schedule 
going forward and the exact features we can 
expect in each Vista service pack and in subse¬ 
quent versions of Windows. Holding back this 
critical information is not in Microsoft's best 
interests, and it's certainly not in its customers' 
best interests. It's time to do the right thing, 
Microsoft. This is information your customers 
need to know. ^ 

InstantDoc ID 96602 



Mihai has been working with computers for almost 20 years, 
since the Z80® days. Fluent in four languages, Mihai holds 
almost a dozen certifications, including the CISSP®. 

As a Security Analyst for a multi-national human resources 
solution provider, he manages over 600 Windows® servers 
across the enterprise and has to report to compliance 
auditors on a regular basis. Security, documentation, and 
server monitoring are his greatest concerns. 


"For several years, EventSentry has been critical 
in helping us monitor, archive and report our 
event logs for compliance. We also love the daily 
alerts and performance monitoring features." 


AUTOMATED EVENT LOG MONITORING & CONSOLIDATION, SYSTEM HEALTH, 


Mihai Petre uses EventSentry to 
monitor his server environment. 


ENVIRONMENT AND NETWORK MONITORING. IN ONE AFFORDABLE PRODUCT. 


Fully loaded 30-day trial. Visit www.eventsentry.com or call 1 -877-638-4587 


EVENT SENTRY 


All other trademarks ar 


3d trademark of NETIKUS.NET ltd in the United States and/or other countries. 
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Reader to Reader 


Create Custom 
Events with a Single 
Command 

The Windows Event Viewer is a tool 
that can provide you with useful infor¬ 
mation regarding your computer's 
health. It contains at least three logs: 
the Application log (which contains 
events generated by applications), 
the Security log (which contains 
security-related events generated by 
Windows), and the System log (which 
contains systemwide events generated 
by Windows). Each log displays Infor¬ 
mation, Warning, and Error events, 
which are accompanied by the name 
of the source component that raised 
the event, a brief event description, 
and an event ID. Administrators rely 
on these logs not only for information 
about problems (e.g., failure to start 
a service) but also for information 
about successful operations (e.g., suc¬ 
cessful RAS connections). 

Sometimes it's useful to log your 
own events. For example, I have a 
startup script that I've scheduled to 
run every night. I recently found a 
way to log its events so that I could 
make sure it was successfully execut¬ 
ing. You can log events by using the 
Eventcreate command. The basic 
syntax that I use is: 

Eventcreate /ID EventID 
/L LogName /T Type 
/SO Source /D Description 

where 

• EventID is the ID you want to give 
the event. You can use any number 
from 1 to 1000. 

• LogName is the name of the log to 
which you want to write the event. 
You can write to the Application or 
System log but not the Security log. 

• Type defines the severity of the 
event. You can specify Information, 
Warning, or Error. 

• Source specifies the component 
(e.g., application, script) generating 
the event. 

• Description is the text you want dis¬ 
played when the event appears in 
the log. 



For example, I created the follow¬ 
ing event to be logged whenever my 
startup script successfully executes. 
Note that this command has to be 
entered inside the startup script: 

Eventcreate /ID 123 

/L Application /T Information 

/SO StartupScript 

/D “Startup script executed!" 

You can even write events to a log 
on another computer by using the 
eventcreate command's /S Computer 
parameter (where Computer is the 
machine's name). If you need to 
specify alternate cre¬ 
dentials for the remote 
computer, you can 
use the /U User and 
/P Password param¬ 
eters (where User and 
Password are the cre¬ 
dentials). For informa¬ 
tion about these three 
parameters, open a 
command prompt and 
type 

eventcreate /? 

The Eventcreate 
command works on 
Windows Server 2003 
and Windows XP. I 
haven't tested it on any 
other OSs. 

—Apostolos Fotakelis 

InstantDoc I D 96613 

Beware of 
Unused NICs 

When you're configuring a new 
server that has multiple NICs, it's 
important that you disable any NICs 
that aren't plugged in to the network. 
If you don't disable an unused NIC, 
the Windows software will assign it an 
IP address from the 169.254.x.x sub¬ 
net. This address isn't used anywhere 
on the network and isn't routable 
across any WAN routers. 

At this point you might be 
thinking, "So if it isn't connected, 


what's the problem?" Problems can 
arise on domain controllers (DCs) 
running DNS. Servers register all 
active IP addresses with the default 
DNS server. On a DC, this has the 
side effect of registering the server 
in Active Directory (AD) as a DC 
with two IP addresses: its valid IP 
address and the invalid 169.254.x.x 
address. 

When a client makes a DNS 
request to find all the DCs for the 
appropriate domain, occasionally the 
client will be given the invalid 169.254 
.x.x address as a valid DC address 
because addresses are returned in a 
round-robin fashion. 
The client will then 
attempt to contact the 
DC using this invalid 
address. Of course, 
it won't be able to 
contact the DC, and 
the connection will 
fail. The client will 
then attempt to look 
up another DC using 
DNS. Eventually the 
client will succeed, and 
all will be fine. How¬ 
ever, all these extra 
lookups will slow down 
the client computer. 

We learned about 
this problem while 
attempting to connect 
a new storage appli¬ 
ance. The appliance 
was able to register 
with the domain but 
periodically would be 
unavailable when we 
attempted to browse for files located 
on the appliance. We had to manually 
go through DNS and remove all of 
the invalid entries and reregister the 
appliance with the domain to correct 
the problem. 

So, the moral of the story is this: 

If you have multiple NICs in a server, 
disable those NICs that aren't being 
used. 

—Chris Lamb, Director, 
IT Infrastructure, HIT Entertainment 

InstantDoc ID 96610 
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Reader to Reader 


Enter Your Administrator 
Credentials Only Once 

You're a domain administrator. Following 
good security practices, you log on to your 
Windows XP workstation with your restricted 
domain user account, not with your domain 
administrator account. To avoid logging off 
and on repeatedly, alternating between your 
user and your administrator accounts, you 
launch programs that require administrator 
credentials by using those programs' Run As 
option. 

Here's a simple trick you can use to avoid 
repeatedly entering your administrator 
account credentials each time you need to 
use the Run As option. Begin by creating a 
shortcut to cmd.exe on your desktop. (You 
can find cmd.exe in the C:\WINDOWS\ 
system32 folder.) Right-click the shortcut 
icon, and select the Run as option. Enter 
your administrator credentials and click OK. 
Keep this command-shell window open or 
minimized. From this point on, you don't 
need enter your administrative credentials 
again. To launch an application that requires 
an administrator account, simply drag and 
drop the application's icon onto the open 
command-shell window and press Enter. (If 
the command-shell window is minimized, 
you can drag and hover the application's icon 
over the command-shell window button in 
the taskbar. After the command-shell window 
opens, drop the application's icon onto the 
window.) Every application you launch this 
way will run under your domain administra¬ 
tor account. 

To launch the shortcut icon with a double¬ 
click (instead of using its Run As option) and 
to get the command-shell window to always 
start positioned in a specific directory, right- 
click the command-shell window's shortcut 
icon and select Properties. In the Target field 
enter runas.exe /user:your_domain_name\ 
your_domain_admin_userid "cmd.exe /k 
cd\your_dir" (replacing your_domain_name, 
your_domain_admin_userid, and yourjdir 
with the appropriate information). 

Finally, to distinguish this command- 
shell window from other command-shell 
windows you might have open, give it a dif¬ 
ferent colored background. To do so, use the 
shortcut to open the command-shell window, 
right-click anywhere on the title bar, and 
select Properties. Click the Colors tab. Select 
the Screen Background radio button, select 
a color (e.g., red), and click OK. You'll get a 
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dialog box that basically asks whether you 
want this change to apply to just the current 
window or future windows as well. Select the 
option that provides the latter. The option 
might read Modify shortcut that started this 
window or Save properties for future windows 
with same title, depending on your machine. 

—Andre Boutet, Technical Analyst, 
CSST Quebec 
InstantDoc I D 96614 

Lighten Your Computer’s 
Load 

One of my favorite activities is finding ways 
to "lighten" my computer—that is, make it 
less resource-hungry. One way I do this is 
by replacing applications that I use regularly 
with “lite" programs that perform the same 
tasks or at least the most commonly used 
tasks. It's even better when these programs 
are free and have more capabilities than the 
original applications. Here are some free lite 
programs that I've found useful: 

• Foxit Software's Foxit Reader 2.0 (http:// 
www.foxitsoftware.com) : This PDF reader 
is 1.67MB, needs about 5MB of RAM, and 
starts up almost instantly. An .msi file is 
available for download, so you can deploy 
this program through Group Policy. 



• PDFCreator (http://sourceforge.net/ 
projects/pdfcreator): PDFCreator provides 
an easy way to create PDF files from any 
application. It creates a virtual printer named 
PDF creator. Whenever you want to create 

a PDF file from a document, you just send 
the document to this virtual printer. You can 
deploy this program through Group Policy. 

• 7-Zip (http://www.7-zip.org): This program 
opens all popular compressed files (e.g., 

.zip, .iso, .rar, .arj). Plus, it provides a new 
compression format (7z) that, according 

to the Web site, provides a compression 
ratio that’s up to 10 percent better than the 

We’re in IT with You 



ratio provided by PKWARE's PKZip and 
WinZip Computing's WinZip. One of my 
favorite features is that you can compress 
and decompress files in the background. 
You can deploy this multilingual program 
through Group Policy. 

• Media Player Classic (http://sourceforge 
.net/project/showfiles.php?group_ 
id=82303&package_id=84358) : Although 
Media Player Classic looks like Microsoft's 
Windows Media Player (WMP), Media Play 
Classic is faster and requires less memory 
than WMP. Media Player Classic is highly 
extensible. 

• Real Alternative (http://www.free-codecs 
. com/download/Real_Alternative.htm ): 
Real Alternative plays RealMedia files (e.g., 
.rm, .ram, .rpx, .smi). It provides the same 
capabilities as Real Player but without all 
the annoying registration forms and adver¬ 
tisements. Plus, Real Alternative consumes 
fewer resources than Real Player. 

• Microsoft Virtual CD-ROM Control 
Panel (http://download.microsoft.com/ 
download/7/b/6/7b6abd84-7841-4978- 

96f5-bd58df02efa2/winxpvirtualcdcontrol 
panel_21.exe): This unsupported Microsoft 
program lets you mount ISO images to 
your computer. It loads a Virtual CD-ROM 
device driver, which you can start and stop 
as desired. 


One free lite program I don't recommend 
is QuickTime Alternative player (http://www 
.free-codecs.com/download/QuickTime_ 
Alternative.htm), which plays QuickTime 
files (e.g., .mov, .qt, .3gp). My experience with 
QuickTime Alternative has been less than 
optimal. ^ 

—Apostolos Fotakelis 
InstantDoc ID 96615 
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$ 150.000 INSURANCE POLICY 

AGAINST HARDWARE DAMAGE TO VODR SYSTEM 

- SEE WEBSITE OR PRODUCT PACKAGING FOR MORE DETAILS - 


BLACKOUT! " i 

30 MILLION APC “S" 
CUSTOMERS STILL HAVE 
POWER. DO YOU? 

■ www.OpC.cam 


Forget about acquisitions and mergers 
for a moment and think about your 
electricity and all that you rely on your 
computer for: personal and business 
files, financial information, broadband 
access, videos, photos, music, and more. 
Increasingly, computers are the hub for 
managing our lives. And more people 
rely on APC to protect their hardware 
and data than any other uninterruptible 
power supply (UPS) brand. 

Why is APC the worlds best 
selling power protection? 

For 20 years, we have pioneered power 
protection technology. Our Legendary 
Reliability® enables you to save your 
data, protect your hardware, and prevent 
downtime. It also guards against a power 


grid that is growing 
less reliable every day. 

According to the 
Department of Energy, 
electricity consump¬ 
tion will increase by 
40% over the next 
10 years. Yet today, 
investment in utilities 
is at an all-time low. 

It's a "perfect storm" 
for computer users, one that makes APC 
protection even more essential. 

APC has a complete line of power 
protection solutions to suit a range of 
applications. Already an APC user? 

Get the latest replacement battery 
cartridge for your unit or upgrade to a 
newer model. 


APC Solutions for Every Level of Protection: 

Home Starting at *59.99 
Best value battery 
backup and surge 
protection for 
home computers. 

8 outlets, DSL protection, 44 minutes of runtime* 


Home Office Starting at $ 99.99 

Complete protection 
for home and small 
business computers. 

10 outlets, DSL and Coax prc 
70 minutes of runtime* 


Smell Business Starting at $ 459.00 

High-performance Smart 

network power 1000 

protection with 
best-in-class 

manageability for servers. 


APC power protection 
products are available at: 







Office depot 


that was easy: 


Register to win an 

APC 1500VA Battery Back-UPS® system 
(Model: bxi50olcd) a $199.99 Value! 

Visi t www.apc.coni/pronio Key Code x345x or Call 888.289.APCC x4640 or Fax 401.788.2797 

©2007 American Power Conversion Corporation. All rights reserved. All trademarks are the property of their respective owners. 

e-mail: esupport@apc.com • 132 Fairgrounds Road, West Kingston, Rl 02892 USA • BK2C7EF-EN "Runtimes may vary depending on load. 
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Find out why 30 million 
people don't need to 
worry about losing their 
data to power problems 
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Security 

Manage User Privileges 


BeyondTrust Privilege Manager 3.0 is 
a Group Policy extension that lets you 
implement least-privilege security in 
Windows Vista environments. With Priv¬ 
ilege Manager, you can let end users run 
all required applications and perform all 
authorized system tasks without giving 
them administrative privileges. Unlike 
Vista’s User Account Control, which 
requires users to respond to a prompt 
every time they want to use an applica¬ 
tion that needs elevated privileges, Privi¬ 
lege Manager sets permissions for each 
application and task and is transparent 
to end users. Version 3.0 introduces 
support for Windows Vista and 64-bit 
systems. Pricing starts at $30 per seat. 
For more information, contact Beyond¬ 
Trust at 603-610-4250 or visit www 
.beyondtrust.com 


Group Policy 

Simplify Policy Management 

Need help verifying that workstations on 
your network comply with Group Policy? 
SDM Software’s GPExpert Trouble¬ 
shooting Pak 1.0 provides a collection 
of utilities that help optimize the policy 
review process. The Health Reporter 
utility provides a quick “red or green” 
analysis of target machines; Log Ana¬ 
lyzer can peer into Group Policy logs, 
including the new Vista operational logs; 
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Product Spotlight 


Manage Virtualized Applications with Encapsulation 

If you’re being asked to maintain applications that are vital to your enterprise, 
but those apps are proving incompatible with or difficult to move to newer OSs, 
application virtualization vendor Trigence might have a solution. Trigence AE 
3.0 for Windows is a cross-platform application virtualization environment that 
lets you put applications in a “Trigence capsule” that separates the application 
and its dependencies from the OS and underlying IT infrastructure. Encapsu¬ 
lated applications can be easily moved from legacy to updated hardware and 
OSs, a process that might have been difficult, expensive, or even impossible 
without the benefits of virtualization. 

President and CEO David Roth stresses the advantages of encapsulation. 
“Application encapsulation is a critical component of a dynamic utility comput¬ 
ing model that allows enterprises to achieve dramatically higher performance 
from their IT infrastructure,” said Roth. 

According to Trigence, applications can be encapsulated quickly (thanks to a 
set of template files) and maintain their unique dependencies after encapsulation. 
They can then be moved to a different copy of the OS or easily transferred to a 
newer OS version. The product supports third-party management tools through 
standard interfaces such as Windows Management Interface and Simple Object 
Access Protocol and will be generally available in fourth quarter 2007 For more 
information, contact Trigence at 201-377-0492 or visit www.trigence.com. 


Status Monitor, a system tray utility, 
provides information on policy process¬ 
ing; and Group Policy Spy tracks down 
errant administrative policies that might 
be conflicting with desktop application 
functionality. All the utilities are compat¬ 
ible with Windows Vista/XP/2003. For 
more information, contact SDM Soft¬ 
ware at 415-670-9302 or visit www 
.sdmsoftware.com. 

Load Balancing 

Moving Closer to IPv6 

AIO Networks has announced that 
its AX Series application accelera¬ 
tion switch now supports the IPv6 
Internet protocol. The company plans 
to release IPv6 server load balanc¬ 
ing features in phases over the next 
year. The first release, due later this 
year, will support IPv6 deployments 
in both transparent and gateway 
modes and introduce IPv6 server 
load balancing and static route sup¬ 


port. For more information, contact 
AIO Networks at 408-325-8616 or go 
to www.alOnetworks.com . 

WLAN Troubleshooting 

Detect and Resolve Wireless 
Network Problems 

AirMagnet’s Handheld Analyzer 7.0 
now supports the Summit SDC- 
CF20G 802.Ilg compact flash card 
with integrated antennas as well as 
802.Ilg and 802.lid wireless network¬ 
ing protocols. The system can detect 
use of pre-802.ll devices on the 
network and notify administrators. 

And AirMagnet’s AirWISE technology 
detects wireless network problems, 
explains them in detail, and recom¬ 
mends steps to take to resolve them. 
For more information, contact Air- 
Magnet at 408-400-0200 or browse 
to www.airmagnet.com. ^ 

InstantDoc ID 96525 
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Industry Bytes 


Insights from the industry 

American ITIL: Help Desk Software Comes of Age 


1 recently spoke with HP Product Market¬ 
ing Manager David D’Agostino about the 
Help desk software industry. In April, HP 
announced HP Service Desk, an outsourced, 
single-point-of-contact end-user Help desk 
solution delivered through HP Services. I 
wondered about the effect of Microsoft’s 
imminent entry into the Help desk arena with 
System Center Service Desk. 

Added to this mix of transforming factors in 
the Help desk industry is the increased adop¬ 
tion by larger businesses of Help desk best 
practices as set forth by IT Infrastructure 
Library (ITIL) standards. HP integrates its 
products with ITIL (in fact, several thousand 
ITIL-certified consultants are part of HP), 
and many other well-known Help desk soft¬ 
ware companies integrate at least a portion 



of ITIL best practices in their solutions. 

D’Agostino, like many Help desk industry 
insiders I’ve spoken to, feels that the field 
is a logical place for Microsoft to enter. The 
Help desk software industry has matured 
greatly, but there’s still room for growth. 

The question many insiders have is simply 
how Microsoft will do it—via bundling the 
solution with server components or offering 
it through resellers. 

As D’Agostino says about today’s Help 
desk solutions: “Everyone has incident 
management, but what you surround it with 
is what matters. You need incident and 
change management and real workflow, 
and also the right kind of approval process. 
You need a flexible, definable engine to 


manage workflow and approval strategy.” 

Today, he says, Help desk tools are 
focused on the here and now: “Once changes 
are made, people forget about the change, 
and organizations don’t have a chance to 
learn from the history of a problem.” He 
added that HP plans to change that with 
a feature called Decision Center that will 
deal with the here and now but also sweep 
information into a data warehouse and use it 
for trend analysis. “A logical step from trend 


analysis is to ask ‘what if’ questions. Deci¬ 
sion Center lets you see the impact on the 
business from actions you might take.” 

The future is all about “breaking down the 
walls between the silos,” he says. “Taking a 
service approach, shifting from process to 
service and how it’s applied to business—you 
end up with a continual improvement cycle. 


— Caroline Marwitz 
InstantDoc ID 96497 


Acquisition Will Likely Lead to a Large 
Footprint in the Windows Market 

Q uest Software, which provides database, application, and Windows-management 
solutions, recently announced its plan to acquire ScriptLogic, a provider of sys¬ 
tem-management solutions for Windows networks. Scott Davidson, the vice president, 
treasurer, and head of investor relations at Quest, revealed that there are several reasons 
why Quest is spending approximately $90 million to acquire ScriptLogic. First and fore¬ 
most is Quest’s desire to expand its product footprint in the Windows desktop market. 

“Most of the growth that we’ve seen across our Quest businesses in the last couple 
of years has been predicated in the Windows space as a whole. A large part of that has 
been focused on products on the server side. Up to this point, we really haven’t had 
much of a product footprint in the desktop market. We have one product that manages 
desktops through Group Policy, but it hasn’t really been a focus for us in the past,” said 
Davidson. But that will no longer be the case when Quest acquires ScriptLogic because 
more than 19,000 customers are currently using ScriptLogic products to manage about 
4.75 million desktops. 

The acquisition of ScriptLogic will expand Quest’s presence not only in the desktop 
market but also the small-to-midsized business (SMB) space, according to Davidson. 
“From the perspective of feature functionality and depth of solution, most of Quest’s 
products in the Windows space are geared toward enterprises. The customers that 
ScriptLogic has been typically targeting with its product set are the small-to-medium- 
sized businesses.” 

Market expansion isn’t the sole driving force behind the acquisition. From a financial 
perspective, Davidson notes that, “ScriptLogic is a nice, stable, growing business that’s 
profitable.” In addition, the acquisition gives Quest the opportunity to try a new sales 
model. “Quest has historically been driven by direct sales with the customer... The acqui¬ 
sition will give Quest a new opportunity for distribution beyond the direct sales model.” 

Because Quest is planning to run ScriptLogic as a wholly owned subsidiary, the man¬ 
agement team that’s currently in place at ScriptLogic will remain. Similarly, ScriptLogic 
will keep its autonomy in regard to customer support and engineering. And the same 
engineering group that has developed products for ScriptLogic over the years will con¬ 
tinue to do so. Assuming that all the legal and regulatory approvals are given, Quest’s 
acquisition of ScriptLogic is expected to be completed in the third quarter 2007. 

— Karen Bemowski 
InstantDoc ID 96414 
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Virtual Iron Enterprise Edition 3.6 

Editor’s Note: The following is a summarized version of John Green’s review of Virtual Iron Enter¬ 
prise Edition 3.6. To read the full-length version of the article, go to http://www.windowsitpro.com 
and enter InstantDoc ID 96390. 


V irtual Iron Software’s Virtual Iron Enterprise Edition 3.6 is a desktop and server virtualization 
solution competing in the same market as VMware’s ESX Server. Virtual Iron 3.6 supports 
32-bit versions of Windows Server 2003 and Windows XP, as well as both 32-bit and 64-bit ver¬ 
sions of Red Hat and SUSE Linux. Virtual Iron comes with an advanced feature set that includes 
LiveRecovery, which enables virtual servers to restart on a new managed node in the event of 
a hardware failure on the running managed node; LiveMigration, which lets you move a running 
virtual server between managed nodes without interrupting service; and LiveCapacity, which uses 
LiveMigration to automatically move a virtual server to a new managed node when the running 
managed node’s CPU utilization exceeds a specified level for a fixed period of time. 

You install Virtual Iron on a Windows or Linux-based system that will act as the manage¬ 
ment server. The management server coordinates the activities of managed nodes, which are 
the systems that host virtual servers. You can configure and manage Virtual Iron both locally and 
remotely by using a Java-based Web application hosted by the management server. Web Figure 
I ( http://www.windowsitpro.com, InstantDoc ID 96390) shows the Virtual Iron management net¬ 
work. This product requires that the management server and each managed node have at least two network interfaces: one supporting a 
private network for Virtual Iron functionality, and one or more interfaces for virtual servers to use in their communications. 

Virtual Iron 3.6 is a reasonably priced virtualization product at $499 per socket (i.e., per physical processor, including quad-core proces¬ 
sors) in licensed managed nodes. Although the list of officially supported OSs and hardware is relatively limited, the product will certainly 
meet the needs of most businesses. The Java-based Ul was very responsive and certainly facilitates remote access. If you’re looking for an 
alternative to ESX Server, give Virtual Iron 3.6 a good look—I don’t think you’ll be disappointed. ^ 

InstantDoc I D 96390 
—John Green 


SUMMARY 


Virtual Iron Enterprise 
Edition 3.6 

PROS: Easy installation; a responsive, Java- 
based Web console; LiveMigration-based fea¬ 
tures add power and flexibility; uncomplicated 
configuration and management 

CONS: List of supported guest OSs is fairly 
short; some implementation details have room 
for improvement 

RATING: ♦♦♦♦O 

PRICE: $499 per socket (aka physical pro¬ 
cessor) 

RECOMMENDATION: Virtual Iron 
Enterprise Edition 3.6 is an easy-to-use, work¬ 
able, and reasonably priced virtualization plat¬ 
form that’s worth your time to evaluate. 

CONTACT: Virtual Iron • http://www 
.virtualiron.com • 978-849-1200 



Summaries of in-depth product 
reviews on Paul Thurrott’s 
SuperSite for Windows 
http://www.winsupersite.com 


Microsoft Outlook Connector for Wint 


Now completely free to all users, works semi-seamlessly, and is simple to configure and use. 

No free calendar support—yet. 

If you’re already using Outlook 2007 or 2003 for work, perhaps because of a Microsoft 
Exchange requirement, you might want to use Outlook to manage other email accounts, including personal email 
accounts. Normally, this isn’t a problem: Outlook supports multiple accounts, and can work with a wide range 
of email service types, including those that use industry standard POP3 and IMAP technologies. Until recently, 
however, accessing Hotmail (or MSN or Live.com) email via Outlook required you to have a Hotmail Pro, MSN 
Premium, or other paid account. Now, access is free, and Microsoft is offering its excellent Outlook Connector 
software, which adds Hotmail compatibility to Outlook, to everyone. With Outlook Connector, Hotmail is accessed 
almost exactly like Exchange, where messages and contacts are kept on the server and synchronized seamlessly 
with the client. There’s only one small problem, and this shouldn’t affect most users: Hotmail’s calendar will need 
to be updated before you can access it through Exchange. Microsoft says an updated version is coming within the 
year. (Paid MSN users can, however, continue to access their calendar with Outlook Connector.) 

Microsoft • 800-426-9400 • http://www.microsoft.com 

http://www.winsupersite.com/reviews/winlive_hotmail_02.asp 


Now feature-complete, with new IIS role 
in Server Core; Web server can be deployed in 
production environments. 

Pre-release code is still risky. 

♦♦♦♦O 

Windows Server 2008 

(previously code-named Longhorn Server) is a 
major revision to Microsoft’s server product line. 
Microsoft has indicated that the final version will 
ship by the end of the year. For now, however, Beta 
3 and subsequent RC and Community Technology 
Preview (CTP) releases are painting a feature- 
complete picture of the release, and it looks solid: 
Windows 2008 features a major architectural 
change with componentized roles, a major new IIS 
release, a command line-only Server Core install 
option, a new scripting environment called Windows 
PowerShell, and other new features. It’s available for 
free from Microsoft’s Web site: Check it out today. 

Microsoft • 800-426-9400 • http://www 
.microsoft.com 

http://www.winsupersite.com/ 
reviews/lhs_beta3.asp 

InstantDoc ID 96599 
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Comparative Review 


CROSS-PLATFORM 

Identity 
Management 
Solutions 


3 great products with different 
strengths, similar weaknesses 


by Eric B. Rux and 
Darren Ehmke 

ILLUSTRATION BY ROY SCOTT / IMAGES.COM 



FOR SINGLE 
SIGN-ON 


be stored in such a scenario. The answer to both questions is 
Active Directory Schema Extensions. If you've worked with 
Microsoft Exchange Server, you're familiar with the concept 
of extensions: Microsoft's Exchange team added fields such 
as msExchHomeServer to AD to let you keep track of where 
your system stores email. AD can also be extended to store 
UNIX user account information. However, extending the 
schema isn't allowed in some environments and is done 
cautiously in others. After the schema has been extended, 
it can't be easily undone. If extending AD concerns you, 


H eterogeneous authentica¬ 
tion software solves many 
companies' basic need for single 
sign-on (SSO) functionality in all their 
IT systems. If your company is subject to 
regulations that require SSO—some com¬ 
panies, for example, have interpreted the 
Sarbanes-Oxley (SOX) Act as a requirement 
for this functionality—you'll want to learn 
the ins and outs of this software. 

The three applications that we chose 
to evaluate in this comparative review are 
Quest Software Vintela Authentication 
Services (VAS), Centeris Likewise Identity, 
and Centrify DirectControl. Each of these 
programs lets a UNIX or Linux system (in 
this article, we'll use the term "UNIX" to mean any UNIX 
or Linux system) to authenticate to Active Directory (AD). 
However, the applications have both subtle and major dif¬ 
ferences that you need to understand. Knowing about these 
differences will help you choose the perfect solution for your 
organization. 


How Heterogeneous 
Authentication Software Works 

You might be wondering how in the world a UNIX platform 
can authenticate to Windows, or where information would 
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pay attention to how each vendor does 
it, because each adds UNIX support in 
slightly different ways. 

After extending AD to store UNIX 
user account information, the vendor 
must provide the means for the client 
to "understand" the new function¬ 
ality. To that end, all three vendors 
offer a client piece that you install on 
each UNIX machine. The ease of cli¬ 
ent installation and the client's effect 
on the machine might be important to 
consider. For example, who will deploy 
the client onto the UNIX machine? If an 
administrator is installing it, then ease 
of installation isn't as important as it 
would be if users were installing it. Be 
aware of your internal requirements so 
that you won't be surprised later. Addi¬ 
tionally, if you have an existing UNIX 
server infrastructure with multiple user 
IDs, be sure to take a close look at 
how each vendor supports it. Beyond 
the products' basic authentication 
pieces, other features set each vendor 
apart—for example, the ability to apply Group 
Policy Objects (GPOs) to your Linux and UNIX 
systems. 

UNIX Personality 
Management 

When you're choosing a heterogeneous 
authentication solution, consider how the 
product manages multiple UNIX personali¬ 
ties. A UNIX personality is a user ID similar to 
a SID or globally unique identifier (GUID) in 
Windows. In Windows, we seldom consider 
our users' GUIDs unless we're performing a 
migration or consolidation. However, in UNIX, 
this information is located in text files, which 
are easily accessible. You need to understand 
how UNIX user IDs work, and you need to 
have a method for managing different UNIX 
personalities. 

When you create a new user in UNIX, the 
system creates a unique numerical ID. How¬ 
ever, different UNIX vendors use different start¬ 
ing numbers for the user IDs. Some systems 
start with 100, whereas others start with 500. 
A person's user ID could be 107 on one system 
and 517 on another system. This scenario is 
called "multiple UNIX personalities." 

To make things a bit muddier, group IDs 
also differ among vendors. A user might belong 
to a group named DEV with a group ID of 37 on 
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one system and a group ID of 104 on another 
system. 

Imagine how complicated it would be to try 
to map one AD user account to these different 
user IDs and group IDs. UNIX personalities 
management—a key feature of all three prod¬ 
ucts in this review—takes this problem into 
account and lets AD authenticate multiple 
personalities. 


SUMMARY 


Quest Software Vintela 
Authentication Services 

PROS: When adding new UNIX machines 
to AD, VAS lets you choose a CN or OU other 
than the default “Computers”; logging on 
doesn’t require the user to use “Domain\ 
Username”; integrates with Vintela Group 
Policy (Group Policy for UNIX) 

CONS: Creating a personality container 
for multiple personalities isn’t intuitive; 
requires AD Schema Extensions if not running 
Windows Server 2003 R2 

RATING: ♦♦♦♦O 

PRICE: $325/UNIX server, $45/UNIX 
workstation 

RECOMMENDATION: If you need strong 
Group Policy support for your UNIX machines, 
we recommend Quest Software Vintela 
Authentication Services. 

CONTACT: Quest Software • http://www 
.quest.com/unix-linux • 800-306-9329 


Testing the Products 

Our test lab consisted of a simple network with 
one Windows Server 2003 SP1 AD domain con¬ 
troller (DC) and a Linux PC. Each system ran in 
a VMware virtual machine (VM) for easy dupli¬ 
cation and rollback capability. Because Win¬ 
dows 2003 R2 introduced UNIX user account 
support, we specifically chose not to use this 
newer version of Windows 2003—we don't 
believe most shops have upgraded their DCs to 
R2. Instead, we wanted to see how each vendor 
dealt with the more common pre-R2 scenario. 
If you do decide to upgrade the schema to 
either R2 or one of the proprietary updates, be 
sure you have a detailed plan in place first. In 
the Web-exclusive article "Plan Your Dive, Dive 
Your Plan" (InstantDoc I D 94735) , you'll find a 
tried-and-true method for ensuring that your 
major upgrades don't go sideways. 

Without exception, all three applications 
performed well. Each let us quickly add the 
necessary functionality to the DC, set up a 
small client on the Linux PC, then log on to the 
Windows domain from the Linux PC within a 
few minutes. At that point, however, the simi¬ 
larities ended. 

Quest Software Vintela 
Authentication Services 

The VAS installation script runs through a 
basic text-based wizard that takes only a few 
minutes. UNIX client installation occurs in the 
form of a Red Hat Package Manager. In our 
tests, the installation was quick and simple. 
After the installation was complete, we per¬ 
formed a short configuration. 

For the Windows installation, you get a 
nice GUI that helps you find the setup wizards, 
manuals, and other information. The Windows 
installation is smooth and straightforward. 
If you're not running a Windows 2003 R2 
schema, you'll need to run the Schema Wizard 
to extend AD to support UNIX account attri¬ 
butes. Don't take this important advice lightly. 
Although we're sure that Quest did its due dili¬ 
gence when writing the scripts to extend AD, 
you shouldn't attempt AD extension without 
proper planning and a good recovery plan. It 
would be better to upgrade to R2 and extend 
the schema that way, if only because the R2 
extensions were written by Microsoft. Given a 
choice, we would rather support a "standard" 
AD than one created by a third party. 

In addition to the UNIX account attribute 
extensions, Quest also extends the schema to 
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SUMMARY 


Centeris Likewise Identity 

PROS: Familiar GUI for install routine for 
UNIX; doesn’t require AD Schema Extensions; 
reporting and migration tools included 

CONS Setting up a cell for multiple person¬ 
alities wasn’t intuitive 

RATING: ♦♦♦♦O 

PRICE: $249/UNIX server, $49/UNIX work- 
station; charged per agent installed; can run 
as many versions of the console on as many 
desktops as you want 

RECOMMENDATION: If you need UNIX 
authentication in AD and don’t want to extend 
the AD schema, we recommend Centeris 
Likewise Identity. 

CONTACT: Centeris • http://www.centeris 
.com/products 


support the Personality Management Schema 
Extension. Again, it's probably perfectly safe to 
use Quest's extensions, but if your organization 
doesn't allow these kinds of core changes to 
AD, you might want to look at solutions that 
don't require the schema to be extended. On 
a positive note, the changes that are necessary 
appear to be pretty small. You can find further 
information about these extensions in a PDF 
file in the evaluation software. 

Adding additional UNIX personalities isn't 
an intuitive process. When we tried to create a 
UNIX personality, we kept getting 
the error There are no personal¬ 
ity containers defined. Create a 
personality container, then retry 
the operation. We had trouble 
determining how to create a per¬ 
sonality container. Eventually, 
we solved the problem: You can't 
create a UNIX personality con¬ 
tainer in an AD container—for 
example, the default user's com¬ 
mon name (CN). Instead, you 
must create it in an organiza¬ 
tional unit (OU). Figure 1, page 
22, shows the dialog box you use. 

VAS also supports extend¬ 
ing AD's Group Policy to push 
down policies to UNIX clients. 

The default settings that you can 
change are scripts, cron, files, 
login prompt, message of the 
day, sudu, symbolic links, and 
syslog—a pretty good start right 
out of the box. If you need to 


push down a policy to your UNIX clients, and 
that policy isn't included by default, you can 
write your own. A detailed section of the docu¬ 
mentation explains how to write and apply 
your own policies. 

VAS supports many UNIX clients, includ¬ 
ing Red Hat Linux, SuSE Linux, Tru64, and 
VMware ESX Server. The full list of supported 
clients can be found at http://www.quest.com/ 
vintela-authentication-services. 

Centeris Likewise Identity 

The GUI-driven Likewise Identity UNIX instal¬ 
lation worked flawlessly in our tests. After 
the installation was complete, the software 
prompted us to choose either GUI or com¬ 
mand-line based client setup. We chose the 
GUI option and were surprised how similar 
the process and interface looked to a Windows 
machine. 

The installation of Likewise Identity on the 
Windows side took a bit longer because the 
installation routine had to download Microsoft 
.NET Framework 2.0 and Microsoft Manage¬ 
ment Console (MMC) 3.0. We don't consider 
this delay a major concern, but you should be 
aware of it, especially if your network doesn't 
have an Internet connection. After the system 
took care of its prerequisites, the installation 
went very smoothly. 

As we discussed at the beginning of this 


article, AD schema changes shouldn't be 
taken lightly. Unlike VAS, Likewise Identity 
permitted an installation without extending 
the schema. The lack of a requirement to 
extend the schema sets this Centeris prod¬ 
uct apart from its competitors. Whereas the 
other two applications can use the default 
R2 UNIX account schema extensions instead 
of adding their own, Likewise Identity adds 
this functionality without requiring any R2 
or third-party schema updates. It does this 
by stacking, or putting the data into unused 
portions of AD. The downside to not updat¬ 
ing the AD schema is that, as you add UNIX- 
enabled users to AD, performance could take 
a hit. We were unable to test large numbers of 
UNIX computers and users in our test lab to 
compare performance between extended and 
non-extended environments, so we can't tell 
you where this performance cut-off is. If you 
have many UNIX-enabled users, you should 
consider adding the default R2 schema exten¬ 
sions to take advantage of the indexing they 
offer. Either way, this product gives you a lot 
of flexibility in implementation. 

The Likewise Identity Console has a decent 
set of features, including a report tool and a 
UNIX Identity Migration Tool. This migration 
tool helps you migrate existing UNIX accounts, 
password files, and group files into AD. It can 
also create a script to reset the ownership of 
files on the UNIX system if they're affected 
by the migration. Figure 2 shows 
the dialog box for joining the AD 
domain. 

To enable support for multiple 
user and group IDs, we had to cre¬ 
ate a separate OU and enable what 
Centeris calls cells on the OU. This 
process wasn't at all intuitive, so we 
had to dig out the Likewise-Iden- 
tity-Administrators-Guide.pdf in the 
documentation. In the end, the func¬ 
tionality is similar to the way that 
the other vendors support multiple 
UNIX personalities. 

Likewise Identity also provides 
Centeris Group Policies, but these 
policies are limited in what they 
push to the UNIX clients. Out of the 
box, these policies can change the 
sudu file, change Automount files, 
set cron jobs, and run login scripts. 

We discovered by accident that 
with Likewise Identity, the UNIX cli¬ 
ent boots cleanly when the Windows 
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2003 AD DC is down. Obvi¬ 
ously, you can't log on to the 
domain if the DC is down, but 
if it is, UNIX machines with the 
Centeris client don't have any 
problems booting up. The other 
two clients appeared to slow 
down slightly while they looked 
for the DC during boot-up (but 
they did eventually come up 
without any problems). 

Likewise Identity supports 
many UNIX clients, including 
Mac OS X, Red Hat Linux, SuSE 
Linux, and Ubunto. For a full 
list of supported UNIX clients, 
see http://www.centeris.com/ 
products/likewise_identity/ 
supported_platforms.php. 


Centrify DirectControl - Create New Zone Wizard 

Select and set the default normal group 

Select an AD group and set the Unix profile. 


Select an AD group as the default normal group for this zone and set the Unix 
profile for this group. 


list of supported UNIX clients, visit 
http://www.centrify.com/direct 

control. 


AD Group: 


Unix group name: 


| centrify. local/Users/Marketing 


j10000 


jmrktl 


< Back 


Next > 


Cancel 


Figure 3: DirectControl Create New Zone wizard 


Centrify DirectControl 

Of the three products, the DirectControl text- 
based UNIX installation was the simplest. It 
asked a few simple questions and was installed 
in minutes. And as with the other two applica¬ 
tions, the Windows installation of DirectCon¬ 
trol went smoothly. 

After the installation is complete, you can 
either start with the MMC AD Users and Com¬ 
puters snap-in to configure DirectControl or go 
straight to the Centrify DirectControl snap-in. 
Unlike the other two products, the Centrify 


SUMMARY 


Centrify 

DirectControl 




mm 


mm 


U/oV^ 


I 


PROS: Doesn’t require user to use “Domain\ 
Username” when logging on; detailed 
documentation explains how to authenticate 
multiple platforms and databases; software 
development kit (SDK) available to extend 
the default functionality; reporting capability; 
robust UNIX personality management 

COM/ Requires AD Schema Extensions if 
not running Windows 2003 R2 

RATING: ♦♦♦♦♦ 

PRICE: Starts at $800 for three nodes 

RECOMMENDATION: If you want a sea¬ 
soned contender with strong UNIX personality 
management and robust migration manage¬ 
ment, Centrify DirectControl gets our highest 
recommendation. 

CONTACT: Centrify • http://www.centrify 
.com 
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product walks you through a comprehensive 
wizard to set up UNIX personality manage¬ 
ment in what DirectControl calls zones. Figure 
3 shows the Create New Zone wizard. Of the 
three products, DirectControl is by far the most 
complex when it comes to setting up and using 
UNIX personality management, but it's also the 
most robust. 

According to Centrify, zones are similar to 
AD domains and organize the different flavors 
of UNIX in your environment. For example, you 
could group all your Red Hat machines in one 
zone and your Solaris machines in another zone, 
then assign the separate zones different login 
shells or assign the zones to different groups. 

DirectControl offers Group Policy support 
that's similar to that of VAS. Enabling this sup¬ 
port in our tests was as simple as adding the 
centrifydc.adm template to a new GPO. We 
were surprised by just how many options you 
can configure, including password policies and 
UNIX login settings. 

An interesting feature is Personality 
Account Management (PAM) Conflict Reso¬ 
lution. With the many user IDs, GUIDs, and 
accounts floating around in a large organiza¬ 
tion, there's bound to be a conflict or two. What 
should the system do if it discovers a conflict? 
You can choose Ignore (i.e., do nothing), Warn 
(i.e., warn the user of the conflict after logon), 
or Error (i.e., don't let the user log on). You 
control all these options, including the text 
of the error message that the user will see, via 
Group Policy. 

DirectControl supports many UNIX clients, 
including Mac OS X, Red Hat Linux, SuSE 
Linux, and VMware ESX Server. To see a full 
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Editors’ Choice 

All three products performed 
admirably in our tests and can 
accomplish what they adver¬ 
tise. Centeris Likewise Identity 
receives kudos for finding a way 
to let UNIX-based machines 
authenticate to AD without alter¬ 
ing the AD schema. If you have 
many users, this shortcut can 
come at a price with reduced per¬ 
formance, but it's nice to have the 
option. For Group Policy func¬ 
tionality, Centrify DirectControl 
impressed us. We really liked the way that 
DirectControl uses ADM templates instead 
of adding additional bloat to AD Users and 
Computers. Quest Software Vintela Authen¬ 
tication Services stood out with such smart 
features as letting you choose which OU a 
new PC would be added to, and it doesn't 
make the user preface a logon name with 
the domain name. 

What didn't we like? For all three products, 
adding or enabling UNIX personality manage¬ 
ment wasn't as easy as we thought it could be. 
In many cases, the vendors should just make 
the pop-up error messages more informa¬ 
tive—rather than just telling the user to create a 
cell or a zone, let the user know where the tool 
is to accomplish the task. 

Although all three products are first rate, 
Centrify DirectControl wins the Editors' Choice 
award, as it is the most robust product of 
all three. You can't go wrong if you choose 
Centrify. ^ 
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What’s Up at the Help Desk 

Best practices and a big new player are shaping the market 



by Caroline 
Marwitz 


F or better or for worse, how users view the Help 
desk is how they view your IT department: It ; s the 
first point of contact for end users and customers 
interacting with IT. Maybe your organization realizes this 
and is making the Help desk more service oriented. Or 
maybe your organization is still at the stage of "let's give the 
techs cell phones and a spreadsheet and call it good." Or, as 
one Help desk software solu¬ 
tion manager put it, maybe 
you're still at "the sticky note 
stage." Whatever stage your 
organization is at, you might 
be affected by what's hap¬ 
pening in the Help desk solu¬ 
tion industry, especially with 
Microsoft entering the mar¬ 
ket. Forces such as the move 
to standardize best practices 
are influencing not only what 
Microsoft has planned but also 
what many other Help desk 
software vendors are offering. 

With the help of industry 
insiders working at various 
Help desk solution companies, 

I was able to take the pulse of 
the Help desk industry today, 
glimpse the growing move¬ 
ment toward incorporating 
best practices in service desk 
management, and scout pos¬ 
sible future changes. I also 
got a sense of what it means 
for Microsoft to be entering 
the picture. You might also be 
interested in some advice I heard about how to approach 
purchasing Help desk software and what features your fel¬ 
low IT pros are asking for. 


a provider of automated solutions to technology problems, 
the top five user issues are forgotten passwords (now that's a 
surprise!), and problems with systems, enterprise software, 
connectivity, and email. Additional issues include user 
complaints about slow computers, printer problems, and 
the problems raised when businesses deploy new software, 
such as Windows Vista. 

So what's an organi¬ 
zation to do? Most turn 
to a software provider for 
a solution. As Ryan Ter¬ 
rell of GWI Software put 
it, Help desk software "is 
not a fun thing to buy. 
It's not one of those 
neat new technologies." 
Numara Software's 
David Weiss added, 
"It's not an impulse 
buy—usually it's a result 
of someone conclud¬ 
ing T've dealt with the 
chaos long enough—I 
need a way to deal with 
problems.'" Help desk 
software providers have 
found ways to free Help 
desk personnel from the 
endless round of reac¬ 
tive work answering calls 
and resolving tickets, to 
approach Help desk 
issues more proactively. 
This move toward pro¬ 
active resolution has in 
part been prompted by a set of standardized best practices 
formulated in the UK, known as Information Technology 
Infrastructure Library (ITIL). 



This Isn’t Your Father’s Help Desk 

Help desks began as a group of the most knowledgeable 
people in the IT department working phones and taking 
user questions. The goal was to close out a ticket as fast as 
possible, and the work was largely reactive. Now Help desks 
have scattered worldwide, gone offshore, and moved to the 
Web. Operating within tight budgets and stringent staffing 
levels, Help desks still manage to deal with a huge number of 
user problems. According to a study released by SupportSoft, 


Why Should I Care About ITIL? 

As long as your Help desk functions properly, you might not 
know or care about international standards for Help desk 
best practices, but these standards are influencing Help 
desk software features and the terminology that describes 
them. Set forth in multiple volumes, ITIL standards are 
affecting how organizations deal with Help desk problems, 
how they choose Help desk software, and what features 
software providers are offering. 
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ITIL is a framework of best practices, not 
a step-by-step how-to of Help desk methods. 
ITIL standardizes the terminology and best 
practices of services a "service desk" delivers to 
its end users or "customers" using these main 
categories: 

• Incident management—how you respond 
to and communicate with customers. 

• Problem management—how you find root 
causes of problems and create and docu¬ 
ment solutions. 

• Change management—how you decide 
which problems should be fixed, in what 
order, and by whom. 

• Configuration management—how you 
manage all the parts and relationships in 
your IT infrastructure. 

• Release management—how you roll out 
new software and hardware. 

Kevin Auger of LANDesk said ITIL influenced 
LANDesk's Service Desk offering: "ITIL has 
defined some very good concepts that can 
improve a business from an efficiency and 
governance standpoint." LANDesk's strategy is 


to promote ITIL in a practical way, he said. 

BMC Software's Gerry Roy said, "We've 
been hearing about ITIL for a long time, 
especially over in Europe. It's taken a while 
for awareness to grow in the States. It's not so 
much that a product is ITIL-verified or ITIL- 
compliant—what's important is that a product 
will help you implement ITIL." 

Numara's Weiss said, "Whether it's ingrained 
behavior or a written spec, the idea of ITIL is 
good. The spec is leading the process, but the 
behavior will change ultimately." He added that 
ITIL helps foster a service mindset. 

One offshoot of this service mindset is 
the concept of self-service. ITIL emphasizes 
giving people the ability to help themselves. 
Most Help desk software solutions now offer a 
knowledge base to end users. Instead of wait¬ 
ing for a ticket to be resolved, users can search 
for known solutions to their problems and 
learn how to implement them. 

"Incident volume is going up on a daily 
basis, but you can't increase staff. The solution 
is self-service and automation of processes. 
You create a catalog [of tasks] at the front end; 


a catalog curtails what users can do—we're 
conditioned to order what's on the menu. Then 
you automate the back end to do it. Custom¬ 
ers definitely want both, because they can't 
increase their budget or their staff. We're trying 
to put as much at the end users' fingertips as 
possible," said BMC's Roy. 

LANDesk's Auger said, "We license a 
knowledge base engine where customers can 
put their own content, and it aggregates prob¬ 
lems and information, too. A good knowledge 
base expands and grows and lets customers 
have input." 

"People know the core components, but 
they're not educated on every book of ITIL," 
said Terrell of GWI Software. "People are look¬ 
ing for the components they understand, such 
as incident management. For the midmarket, 
[when you mention] configuration manage¬ 
ment, you get a glossed-over gaze. And change 
management is often seen as a process for 
requesting change, as opposed to document¬ 
ing and making changes." 

Incident management is important to 
IssueTrak's customers, whether they're trying 
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to be ITIL-compliant or just run an efficient Help 
desk, said Hank Luhring. "The better you can 
handle incident management, the better you can 
be proactive; it sets up a self-supporting cycle" 

"We are trying to tune what we do to the 
sophistication of the market," said Numara's 
Weiss. He said that large, complex organiza¬ 
tions will build an ITIL-compliant environment 
to the letter, discovering assets, then cataloging 
them, which can take several months. "Is a 
small business going to do that? No." In less 
complex environments, Change and Configu¬ 
ration Management (CCM) might not be as 
important, so those organizations might want 
a "lite" version of a configuration management 
database (CMDB). 

No matter what they think of ITIL, most 
industry insiders would agree with Terrell of 
GWI Software: "Interest [in ITIL] comes in 
waves. But this last wave has been so sustained, 
I think it's here to stay. The features and idea of 
ITIL make sense." 


Some Major Players in the 
Market 

By now you might have guessed that many of 
the major players in the Help desk software 
market are companies whose managers, CEOs, 
and product gurus are mentioned above. 
Although there is a niche in the middle of 
the market where you'll find freeware and 
software put out by small companies, such 
products tend to focus mainly on tracking 
and issue discovery. For our purposes, we're 
looking at the market segment where you'll 
find more sophisticated solutions, such as 
Help desk software from BMC (BMC Remedy 
Service Management), FrontRange Solutions 
(HEAT), GWI Software (c.Support), IssueTrak 
(IT Help Desk), Kemma Software (Bridge- 
Trak for Windows), LANDesk (Service Desk), 
Numara (Track-It! and Footprints), Touch- 
paper (Touchpaper Customer ServiceDesk), 
and TOPdesk (TOPdesk Professional). These 
solutions tend to be Web-based and offer inci¬ 
dent management and CCM as well as issue 
tracking, and they include self-service options 
for end users, usually with a knowledge base or 
knowledge management feature. 

BMC's Remedy Service Management appli¬ 
cation helps organizations understand, model, 
respond to, and track IT system problems and 
business services failures. It includes BMC 
IT Service Support for the Midsized Business 
(formerly Magic) and BMC Discovery—along 
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with other tools that work together to help 
businesses run ITIL-oriented service desks. 
Its solutions are aimed at organizations with 
"mature" service desk needs, be they enter¬ 
prise organizations or smaller businesses. 

GWI Software's c.Support lets organiza¬ 
tions coordinate, manage, and track everyday 
support activities as well as complex workflows 
that involve several people or departments 
and interdependent tasks. GWI Software uses 
an all-inclusive pricing model (i.e., all features 
are included) and aims its solution at organiza¬ 
tions wanting an out-of-the-box solution that's 
easy to use and quick to configure. 

IssueTrak IT Help Desk helps organizations 
track, resolve, and report on the issues that 
affect a business, such as problems related 
to systems management, bugs, and facilities 
and operations management, and to man¬ 
age projects and related problem resolution. 
IssueTrak's customers range from small, mom- 
and-pop businesses to enterprise-level busi¬ 
nesses. The company also provides a hosting 
model of software as a service. 

LANDesk Service Desk offers process-driven 
incident management, role-based privilege sets, 
automatic actions, assignment, service levels, 
and escalation. It targets midmarket organiza¬ 
tions that want ease of use and configurability, 
as well as those looking for an effective way to 
introduce and use ITIL best practices. 

Numara Track-It! is an integrated Help desk 
and asset management solution that's precon¬ 
figured for the most commonly used Help desk 
tasks. Numara Footprints is a Web-based plat¬ 
form that's customizable and ITIL-compatible, 
offering advanced workflows and the capabil¬ 
ity to handle multiple projects. Numara targets 
customers who are looking for a cost-effective 
solution that's easy to use. 

Many, many more solutions exist and wad¬ 
ing through them takes patience and a good 
dose of analysis and self-evaluation. I'll discuss 
howto shop for Help desk software in a moment. 
But first, let's look at a solution that hasn't yet 
entered the market but is already generating 
interest: Microsoft System Center Service Man¬ 
ager (formerly code-named Service Desk). 

Enter Microsoft, Stage Left 

Microsoft is building Service Manager with a 
server at the heart of the solution to execute 
automated workflows that follow manage¬ 
ment processes based on the best practices 
set out by ITIL. Which workflows are available 


depends on which solution packs (i.e., groups 
of things such as Web parts and forms) are 
installed; solution packs can be standard ones 
that support ITIL best practices or specialized 
ones, possibly created by third-party vendors. 
To interact with the workflows, users access 
a Web-based portal. IT staff can access the 
portal or use a console. Service Manager also 
includes a CMDB that stores information 
about IT assets, and a data warehouse, which 
stores historical information about tasks per¬ 
formed, for reporting and analysis. 

Many industry insiders I spoke with believe 
Microsoft's entry into the Help desk arena was 
inevitable. Numara's Weiss believes Microsoft 
is entering the field because the company has 
a line of infrastructure products and there's a 
hole in that line where a Help desk product 
would be—so Microsoft is simply plugging the 
hole. He said there's still a lot of room for play¬ 
ers such as Numara. "Customers will still buy 
our products when they have Microsoft tools." 
Most others felt the same way, saying that their 
company has an advantage over Microsoft 
in this market, whether from the experience 
of specializing in Help desk solutions or the 
nimbleness that comes from a willingness to 
listen to customers' requests in developing 
new features. Still, as one vendor said, "Peo¬ 
ple will buy Microsoft because it's Microsoft, 
and people won't buy Microsoft because it's 
Microsoft." Many companies are taking a wait- 
and-see attitude but for now are curious about 
what pricing and delivery system Microsoft will 
use. Several found it significant that Microsoft 
is promoting ITIL's best practices; whether or 
not you care about ITIL, you'll be using ITIL 
best practices when you use Service Manager. 

Looking for Help Desk 
Software 

So what do you do if you're not in one of those 
organizations that's polarized for or against 
using Microsoft products? Well, you have a 
wealth of choices. As GWI Software's Terrell 
put it, "We all have similar features, but we 
all meet goals in different ways." Luhring of 
IssueTrak concurs: "There is no clear leader." 
What, then, is one to do? "Spend time uncover¬ 
ing what your needs are—then go out into the 
marketplace," Luhring said. Almost all of the 
insiders I spoke with agreed that some self- 
evaluation and analysis is necessary and that 
rushing out to buy a solution is a mistake. Their 
advice can be distilled into three tips: 
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1. Start with a list of things you like about 
your current process. 

2. Identify three or four pain points or 
things you'd like to change. 

3. When you select a vendor, try the real 
product and test out the tech support. 

Roy of BMC suggested you find a solution 
"that adheres to standard processes, that has 
a modular approach.” It should be easy to use: 
"I shouldn't have to figure out the application 
itself. The tool should be seamless." LANDesk's 
Auger added, "Look for a solution that's intui¬ 
tive, pragmatic, and that would introduce ITIL 
in a way that's not overbearing but simple." 
Luhring of IssueTrak said, "Call avoidance is 
important—doing what you can to avoid a 
call to your Help desk people. The end users 
can check on the issue themselves." He also 
stressed the importance of customer service: 
"We find we win business based on our peo¬ 
ple—the relationships we form and customer 
support. No one buys our product without a 
demo and extensive conversations with our 
engineers." Terrell of GWI Software advised 


watching out for hidden costs and add-ons 
and instead looking for "easy licensing, no sur¬ 
prises." And Numara's Weiss advocates finding 
a solution that's cost-effective and easy to use. 

And what are customers telling Help desk 
software providers they want to see in a solu¬ 
tion? Some of the same features you want in 
any solution, plus some features specific to 
Help desk software: 

• self-service 

• incidents automatically aggregated to a 
problem 

• integration of products 

• flexibility 

• ease of use 

• easy configuration 

• reports for decision makers 

• email support and alerting functions 

The Future of Help Desk 
Software 

As end users grow increasingly sophisticated 
and computer savvy, Weiss of Numara sees the 
continuing importance of offering self-service 


"to allow IT people to focus on the things that 
aren't known." BMC's Roy noted the trend of 
Help desks being increasingly scattered around 
the globe and predicts the rise of the virtual ser¬ 
vice desk in the future. Auger of LANDesk said 
processes will have to be improved to make life 
easier and simpler for customers: "The role of 
process and the role of a process management 
engine will be embedded in every application 
to help drive efficiency." Terrell of GWI Soft¬ 
ware sees an increasing need for automation 
of processes. He also sees opportunities for 
integration—for example, Help desk software 
that integrates with asset management pack¬ 
ages and with Active Directory. Will Help 
desks integrate and virtualize and automate 
themselves out of existence? No, said Weiss. "As 
long as there's innovation, there are going to be 
problems," he said. "There'll always be a need 
for some form of Help desk." ^ 
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in Perspective 


The latest server OS has evolved nicely by Mark Minasi 


S ometime early next year, 
Microsoft will release 
Windows NT Server 6.0, 
once known as "Longhorn 
Server" and now as Win¬ 
dows Server 2008. Will you 
love it? Well, that depends: 
Are you looking for a revolution, or just a bit 
of evolution? 

When it comes to Windows 2008, think 
more Darwin and Wallace, not Marx and 
Lenin. As with its two predecessors, Win¬ 
dows Server 2003 and Windows Server 2003 
R2, Windows 2008 offers some nifty new tools 
and innovations, as well as fixes for some old 
irritations. However, Windows 2008 doesn't 
have the kind of paradigm-busters that 
we saw in Windows 2000 Server—which 
means that the new OS will be relatively 
easy to incorporate into an existing Win¬ 
dows server environment. Unfortunately, 
Windows 2008 lacks solutions for some of its 
earlier sibling's most significant annoyances 
(as did Windows 2003 and Windows 2003 
R2). Although Windows 2008 offers many 
new technologies, I only have space to cover 
a few of its features. 
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Vista Benefits 

Whether you love it or hate it, Vista—Micro¬ 
soft's newest desktop OS—is the most secure 
version of Windows yet. Windows 2008 builds 
on Vista's code base, so it inherits Vista's secu¬ 
rity. In addition, Windows 2008 benefits from 
Vista's improved functionality. 

64-Bit Is It! 

Perhaps the most comprehensive change in 
Windows 2008 is an architectural one: 64 bits. 
The default processor architecture is now 
considered to be 64 bits; 32 bits is pure legacy. 
According to Microsoft, Windows 2008 is the 
last server OS that the company will offer for 
32-bit processors. 

Good or bad, you might ask? Wonderful, 
I'd say! Yes, 64-bit code is somewhat larger 
than the corresponding 32-bit code, but the 
AMD64/EM64T chip architecture makes for 
easier low-level coding for programs—which 
means that developers are more likely to 
produce solid code. And even better, 64-bit 
architecture frees us from the 4GB address 
space and lets Windows grow to 16TB. Because 
loading what is essentially the desktop version 


of Windows 2008—"64-bit Vista Ultimate"—on 
a desktop generates a Windows Task Manager 
report that Windows is using 1.08GB before 
you even start running applications, busting 
out of the 4GB limit seems like a very good 
idea. And since Exchange Server 2007 already 
requires 64 bits, perhaps Windows 2008's 64- 
bit-centricity isn't such a shock. 

Server Core 

By far, the feature with the single biggest "wow" 
factor in Windows 2008 has to be Server Core. 
Working with various versions of UNIX and 
Linux over the years has made me wish for a 
Windows version that's only loosely connected 
to its GUI. On a UNIX/Linux server, you can fire 
up the GUI just long enough to run a graphical 
administration tool, configure the server, then 
turn off the GUI. This approach gives you a 
server that uses less RAM, needs less CPU power, 
and is more secure (simply because less software 
equals fewer places for exploitable bugs). 

With Windows 2008, I got my wish, to 
a certain extent. The Windows 2008 beta 
gives you the option of installing either the 
full-blown version, or installing Server Core. 
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When I installed Server Core, the installation 
was lightning quick. I installed Server Core as 
a virtual machine (VM) on a system that was 
already fairly busy, and I was stunned that the 
entire installation took only 11 minutes, start to 
finish, and used just 200MB of RAM. 

In addition, Server Core runs on some 
downright skinny hardware. Although I don't 
suggest that you run a production Server Core 
system on a 256MB system, it is possible. Con¬ 
sidering that Vista won't even install on a sys¬ 
tem with less than 512MB of RAM and won't 
run worth a darn on a system with less than 
1.5GB, I find it eye-opening for Server Core to 
show just how much we willingly give away in 
computing power in order to have a GUI. 

But once you see the Server Core desktop, 
you might beg to trade that computing power 
to get your GUI back—Server Core's desktop 
is nothing more than a command prompt 
window. Server Core lacks about 80 percent of 
the Windows GUI and completely lacks .NET. 
Server Core also can't use Windows Power- 
Shell, although it can use some PowerShell 
commandlets. 

Before you quit reading right here, using 
Server Core isn't as bad as it sounds. You can 
use several methods to administer a Server 
Core system. For example, you can hunker 
down and use the command prompt. Over 
the years, Microsoft has added more and 
more command-line administrative power to 
Windows. Server Core offers several new Call 
Level Interface (CLI) tools, making CLI-based 
administration more reasonable. 

And GUI addicts, fear not—you can still 
click to your heart's content, fust fire up a 
Microsoft Management Console (MMC) 
remote-management snap-in on a full-blown 
Windows 2008 system to remotely control your 
Server Core system. 

Server Core can't do everything that full¬ 
blown Windows 2008 can; for example, it 
can't host an Exchange server or a SQL Server 
machine. It can, however, be a DHCP, WINS, 
DNS, or Microsoft IIS server (although without 
ASP.NET support); a domain controller (DC); 
and a file and print server. 

Why use Server Core? Two reasons. First, 
as I've said, Server Core runs on much lighter 
hardware than the full-blown version of Win¬ 
dows 2008 does. Thus, Server Core might make 
more sense as a VM in production than the 
complete version makes. Or, Server Core might 


fit on an inexpensive bit of computer hard¬ 
ware, making a server in a branch office more 
feasible than a server requiring more silicon 
and iron might be. Second, a smaller software 
base offers fewer places for bugs to crop up 
that would allow malicious users to attack and 
exploit a Server Core system—which Micro¬ 


soft claims will prevent Server Core systems 
from needing patching as often as full-blown 
systems. All other things being equal, less 
software means better security (which, I think, 
is why Microsoft didn't include .NET in Server 
Core). And although some of you will disagree 
with me, I think Microsoft should keep .NET 
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A computer tech proposes an 
alternative to another 
IT Pro Hero’s solution 
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recent IT Pro Hero, Michael Dragone, discussed 
his batch-file solution for tracking employee 
. logons on the company network and logoffs 
by user and computer (see "It's 10:00 p.m.: Do You Know 
Who's Logged On?" June 2007, InstantDoc I D 95922) . Michael's solution consisted of a logon 
script that records the time a user logs on or off a machine and the computer being accessed, 
then writes this information to a log file on a server share. But one of my colleagues, Barry, 
a tech in the Calgary Separate School District in Calgary, Alberta, the same school district 
for which I work, discovered a potential loophole when he tried using a similar solution. In 
order for the information to be appended to the log file, users would require write access 
to the log file—so a student could possibly tamper with the log file. To avoid this problem, I 
developed a solution for my employer, Bishop Grandin High School in the Calgary Separate 
School District, which uses a Group Policy Object (GPO) to turn on event-log auditing, then 
transfers those event logs to a central network share that users can't access. 

Creating the GPOs 

To start, I enabled the Computer Configuration GPO that turns on the audit¬ 
ing of logon events on a computer (we're running Windows XP Professional on 
all student workstations and Windows Server 2003 on our servers). Web Figure 1 
(http://www.windowsitpro 
.com, InstantDoc ID 96633) 
shows this GPO. The GPO set 
the computers to write the user- 
name used to log on to the com¬ 
puter, the computer shutdown 
or restart time, and the logon 
attempt's success or failure to 
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FIND MORE ONLINE! 


See readers’ comments about the 
June 2007 IT Pro Hero—and some 
scripts that provide alternative solutions—at 
http://www.windowsitpro.com/Articles/ 
ArticlelD/95922/95922.html. 
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off Server Core. The .NET platform is a hefty 
bit of software with its own security subsys¬ 
tem—adding it to a "minimalist" version of 
Windows 2008 that's designed for sturdiness 
would defeat the purpose of Server Core. 

The big question is: Will Server Core sell? 
And the answer depends on just one thing: 
price. Microsoft says that when you buy a 
copy of Windows Server 2008 Standard Edi¬ 
tion, Enterprise Edition, or Datacenter Edition, 
you'll have the option of installing either the 
complete or Server Core version of the soft¬ 
ware. If so, Server Core is doomed. Why would 
someone pay thousands of dollars for a server 
OS, then install its reduced-function version? 
My prediction is that Server Core will die on 
the vine—which would be a shame. Microsoft 
should think seriously about making Server 
core the Windows 2008 "low-price alternative." 

Active Directory Changes 

The first change that Windows 2008 brings to 
Active Directory (AD) is a new name, Active 
Directory Domain Services. ADDS alters Win¬ 
dows-based domains in several ways: read¬ 
only DCs (RODCs), fine-grained password 
policies, and AD snapshots. 

Before I discuss what's new in Windows 
2008 AD, let me point out what's not new: 
improvements to forest restructuring tools. 
Windows 2008 still offers no easy way to merge 
forests, pluck a domain from a forest and make 


it a new forest, merge two domains, or perform 
any of the other tasks that mergers, acquisi¬ 
tions, and reorganizations require. 

Read-only DCs. Windows 2008 has a new 
sort of DC called a read-only domain controller 
(RODC), which might be the OS's second-big¬ 
gest change after Server Core. Recall that prior 
to Win2K, domains had just one server with a 
read/write copy of the domain accounts—the 
server called the primary domain controller 
(PDC). All the other DCs had just read-only 
copies of the domain accounts; they were 
called backup domain controllers (BDCs). In 
Win2K, all DCs became equal, with every DC 
being a read/write DC. 

Microsoft finally decided that neither of 
these approaches is optimal. Therefore, in 
Windows 2008 you can select the mix of 
read/write DCs and RODCs you want. Read/ 
write DCs are useful because they can accept 
updates to domain accounts, whereas RODCs 
can't. So, you can't use an RODC to create a 
new user account or change a password. 

Why use an RODC? First, RODCs generate 
less replication traffic. Second, RODCs have 
a feature that Windows NT 4.0 BDCs lack: 
fine-grained control of exactly how much 
domain data you share with a given RODC. For 
example, you could put an RODC into a small 
branch office with eight employees and tell 
the RODC only the passwords of those eight 
people. If the RODC were then stolen and its 
AD copy hacked, the only passwords at risk 
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would be the ones on those eight accounts, 
rather than the passwords of every account 
in the domain. Or, you could be even more 
cautious and not tell the RODC any of the pass¬ 
words, making the DC a nearly useless target. 

A branch office RODC without any pass¬ 
words would still be useful because although 
it couldn't provide initial logon services for 
a user, it could handle subsequent logons. A 
user's first-thing-in-the-morning workstation 
logon would require a WAN link, but the local 
RODC could handle any further logons (e.g., 
a Sysvol connection to read group policies, a 
logon to a local print server, a connection to 
the Exchange server). And if a branch office 
DC were stolen, Windows 2008's AD lets you 
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the System event log. (Of course, this method wouldn't tell us whether a 
student was using another student's account name and password.) 

At the school, we force users to shut down or restart their computers 
at the end of their session rather than simply log off. On the students' 
computers we use Faronics Deep Freeze (http://www.faronics.com) , a 
product that preserves a computer's original configuration by clearing 
any changes made to the computer and any files saved on the computer 
when the computer is rebooted. Thus, the next logical step in my solu¬ 
tion was to institute a shutdown GPO, which runs a startup/shutdown 
script on a computer and transfers the computer's event logs to the 
central share using the freeware EventSave utility (more about EventSave 
shortly). I opted to use a computer-based GPO for the shutdown so 
that we wouldn't need to worry about giving a user account any special 
access privileges. 

Moving the Logs 

I knew that Frank, a systems analyst for our school division, used the 
freeware EventSave utility from Frank Heyne Software (http://www 
.heysoft.de/frames/f_home_en.htm ) on his server builds. You can use 
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the utility (eventsave.exe) in a batch file to transfer event log files from 
one computer to another. Frank uses scheduled batch files to regularly 
clear our servers' event logs while still maintaining the logs in a central 
location if we ever need to look up log information. 

I decided to use the same method on my student workstations as part 
of my solution to track students' computer use. I created the following 
batch file (adapting its syntax from the EventSave FAQ at http://www 
.heysoft.de/Frames/f_faq_evt_en.htm ): 

start /wait Wserver\share$\EventSav.exe WserverX _ 
share-to-where-event-logs-are-saved /c 

(Note that the /c switch terminates the cmd.exe window and also that 
the previous line wraps to multiple lines because of space print con¬ 
straints. You should type the actual command on one line.) Because we 
were simply transferring the event logs to a central share, users couldn't 
tamper with a log file, since no log file would exist. 

Searching the Logs 

After I developed the logging and shutdown mechanisms, my final 
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run a wizard to change the stolen passwords 
or make the user accounts inactive. This wizard 
also makes removing a dead DC from AD far 
simpler than using the Ntdsutil tool. 

Fine-grained password policies. The only 
reason for having more than one domain in 
an AD forest that still makes technological 
sense is if you want some of your users to have 
to change their passwords every X days and 
other users to have to change their passwords 
every Y days. Ever since Win2K ; all members of 
an AD domain have been subject to the same 
password policies. 

Windows 2008 ; s AD changes this rule. You 
can now tell AD to show different password 
policies (i.e., Password Settings Objects—PSOs) 
to different groups or individuals. Creating PSOs 
is a bit arcane—the most user-friendly tool for 
doing so is adsiedit.msc. However, the under- 
the-hood features are quite well thought out. 
For example, have you ever created a new Group 
Policy Object (GPO) that failed to take effect 
because it was blocked by a permission or over¬ 
ridden by another policy? The obvious solution 
is to use a tool that computes Resultant Set of 
Policy (RSoP), which is the ultimate analysis of 
which policy triumphs over others. Windows 
2008 has a simple built-in RSoP tool that runs 
automatically every time you create a PSO. 

AD snapshots. Wouldn't it be neat to look at 
an AD snapshot as if it were a live, working, run¬ 
ning AD? Windows 2008 lets you do so—sort 
of. An AD snapshot is an image taken from a 


Windows 2008’s 
AD lets you run 
a wizard to change 
stolen passwords 
or make user 
accounts inactive. 

working copy of AD on a DC, like a backup. But 
an AD snapshot is more than a just a backup; 
you can use the tool dsamain.exe to mount an 
AD snapshot and get a seemingly functional 
but nonactive AD installation. Then, you can 
use an LDAP editor to examine the backed-up 
AD's objects, object attributes, and so on. 

A benefit of AD snapshots is that you can 
compare two different DCs' ADs, or you can 
compare the state of a DC's AD over time to see 
what changed in the DC's copy of AD. AD snap¬ 
shots also let you easily browse your AD back¬ 
ups. The alternative method for examining an 
AD backup is to set up a DC that's disconnected 
from the enterprise network, then restore the 
backup—which is fairly time consuming. 

The one fly in the AD snapshots ointment 
is a lack of LDAP viewers. You can't fire up 
the Microsoft Management Console (MMC) 
Active Directory Users and Computers snap-in 
to examine a snapshot; instead, you're stuck 
with adsieditmsc or ldp.exe. Perhaps a future 


version of Windows Server will offer a tool that 
simplifies the process of exploring AD naming 
contexts. For example, a tool for sifting through 
a Global Catalog (GC) would certainly make 
Exchange troubleshooting a lot easier. 

Group Policies 

Although Windows 2008 brings a lot of Group 
Policy improvements, we've already seen most 
of them in Vista, which makes sense because 
the workhorse of group policies isn't the DC 
that holds the GPOs—instead, it's the Group 
Policy client software that runs on the desktop 
and server systems. Still, Microsoft saved a few 
Group Policy goodies for Vista's big brother, 
Windows 2008. 

First, and long overdue, Group Policy Man¬ 
agement Console (GPMC) gets a Find com¬ 
mand. Although GPOs can contain any or all 
of more than 2,400 settings, no command cur¬ 
rently exists for easily finding the setting you 
want. For example, you can't ask the Group 
Policy Object Editor to show you all the settings 
that refer to WPA. 

Second, Windows 2008's GPMC will let 
you add comments to GPOs. As someone 
who's been running production ADs for more 
than seven years, I admit that sometimes I 
can't remember what I was thinking when I 
assembled a particular GPO. Just being able to 
add an explanatory paragraph to a GPO will be 
a welcome addition. 


; ~ Pro Hero 


step was to create an easy way to search the collection of saved event 
logs for events confirming an account's successful or unsuccessful 
logon/logoff and events stating when the computer was successfully 
shut down. To do so, I used the utility in the Windows Scripting Solu¬ 
tions article "The Event Log Query Utility," December 2006, Instant- 
Doc I D 93973, to set up an HTML Application (HTA) that searches 
event logs for specific event IDs, then generates a Microsoft Excel 
spreadsheet containing the ID, audit type, and description of each 
event in the log. (Windows Scripting Solutions is now Scripting Pro 
VIP. For more information, go to http://www.scriptingprovip.com. ) 
I also referred to the Microsoft article "Security Event Descriptions" 
(http://support.microsoft.com/?kbid= 174074) to obtain informa¬ 
tion about the ID numbers used for successful and unsuccessful 
logon attempts. 

We store the saved event-log information for a term (about two 
months), then typically delete it. Because of Alberta's privacy laws, only 
IT staff members have direct access to the logs at present. We can easily 
view the saved logs via the Event Viewer. Although the logs are main¬ 
tained chiefly for security purposes, we can also make them available, 


on request, to administrative staff or teachers to provide information 
such as the frequency of use of computers by students, classrooms, and 
programs and peak-usage times. 

Easy Information Access 

We've been using the GPO-based solution since April. So far, the 
solution's chief benefit is that it gives IT an easy way to search for com¬ 
puter-use information upon request. Like most IT professionals, I'm 
used to running around to put out fires. But taking a little extra time to 
anticipate our staff's need for information about students' computer use 
has helped me to think more proactively about my IT role. 
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Finally, Windows 2008 ; s GPMC introduces 
the notion of "starter GPOs." Although Group 
Policy can accomplish many tasks, performing 
some of them can seem a bit cryptic. For exam¬ 
ple, Windows systems have always had a quirky 
security weakness called an "anonymous logon" 
or "null session" This weakness lets people on 
your intranet access information about your 
computer without logging on. To reduce these 
anonymous users' power in Windows, you need 
to activate several Group Policy settings. And as 
anyone who's ever pored over the many Win¬ 
dows "hardening guides" can attest, figuring out 
those settings and how to enable them can take 
a lot of time. Windows 2008 offers some help in 
the form of a starter GPO document that anyone 
can create to collect the settings in one place, 
then distribute them to users. Microsoft prom¬ 
ises a few built-in settings, including a desktop 
hardening starter GPO, but I'm sure that users 
will create some great ones as well. 

Terminal Services 

Terminal Services just continues to get better 
in Windows 2008. For example, you just have 


to love the Terminal Services Gateway (TSG). 
This new service lets users connect to a termi¬ 
nal server/remote desktop behind a firewall 
by first logging on to the TSG, then choosing 
the terminal server/remote desktop inside the 
firewall that they want to access. The beauty 
is that a TSG user doesn't need to connect to 
a draggy VPN in order to log on to the desired 
system. But TSGs are still secure because they 
employ a new sort of RDP over Secure Sockets 
Layer (SSL). The result is speed and security. 
And from what I hear, you don't need Windows 
2008 (or even Vista) to use RDP over SSL; 
apparently the new RDP client for Windows 
XP that Microsoft released earlier this year 
extends RDP over SSL capabilities to XP and 
Windows 2003. 

In addition, Terminal Services takes a 
leaf right out of Citrix's playbook, using 
"Remote Programs" (which resemble Citrix's 
"Seamless Windows" feature). With Remote 
Programs, you can use Terminal Services to 
deploy an application to a Windows desktop. 
In such a deployment, a user would see a new 
icon on the desktop and could click the icon 
to use the associated application, without 


the local hard disk having to store any of the 
application's code. The application would 
actually be nothing more than a Terminal 
Services window, but with a normal Windows 
frame. 

Give It a Whirl! 

Microsoft's upcoming Windows Server offering 
has many interesting new features. If you have 
access to the Windows 2008 beta, I strongly 
recommend that you fire it up and start play¬ 
ing. The last I heard, Windows 2008's release to 
manufacturing (RTM) date is early November, 
with general availability in February 2008. The 
more you can leam ahead of time, the better off 
you'll be. ^ 
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8 MORE 

ABSOLUTELY 
COOL, TOTALLY 

by Douglas Toombs FREE 


Here’s 
our latest 
collection 
of dynamite 
freeware for 
your USB 


Imties 


bout a year ago, Windows IT Pro published my "8 Absolutely 
Cool, Totally Free Utilities" article (InstantDoc ID 50122) —a 
compilation of handy tools I'd gathered in my IT travels. I use 
these kinds of tools on a daily basis, carrying them around on 
a portable USB drive so that I can grab them at a moment's 
notice. They make me a happier administrator, and they help 
make my clients even happier, too. Best of all, every one of the tools is 
completely free. 

That article received a generous amount of positive feedback, so for 
the past year, I've been keeping an eye out for other free utilities that are 
new or that I might have missed the first time around. Without further 
ado, here's my second collection of eight terrific, completely free utilities 
that will make your job easier. (For information about how to locate and 
download each tool, see the Learning Path on page 42.) 

■ Inventory and Monitoring Tools 

The modern enterprise network contains a ton of data to manage—not 
just user or company data, mind you, but data about how everything is 
put together, how it's performing, and so on. Let's start by looking at a few 
utilities for keeping tabs on your environment and getting the informa¬ 
tion you need when you need it. 

WinDirStat 

The goal of WinDirStat—probably my favorite utility in the bunch—is 
simple: Determine how space is being utilized across your disks and 
represent it visually in multiple ways so that you can easily find wasted 
space. This utility does a great job of ferreting out directories or files that 
are taking up too much space in your network. Figure 1, page 38, shows 
how you can display disk utilization in three ways: a traditional directory 



list (i.e., upper left), a graphical and interactive tree map (i.e., bottom), 
and an extension list (i.e., upper right). 

But the figure doesn't portray this utility's interactivity. As you move your 
mouse over large blocks in the lower portion of the display, the names of 
the files represented by those blocks appear in the status bar at the bottom 
of the window. When you click an item, the upper-left tree list expands to 
the individual file in question. Through this interface, I quickly discovered 
about 10GB worth of PST files hidden in a Norton Protected Recycle Bin on 
my desktop. The large files stood out on the map, so I instantly knew what 
was going on. (I'd uninstalled Norton several months earlier.) 
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Another interactive aspect of this utility lets 
you click a directory name in the upper-left 
side of the display, producing a white frame 
around the objects in the graphical display at 
the bottom. This display gives you a visual rep¬ 
resentation of how much space each directory 
on your system consumes. You can start at the 
top-level directories or navigate down to lower- 
level directories in the tree, and the behavior is 
the same. 

WinDirStat is available for every flavor of 
Windows released in the past decade, from 
Windows 95 to Windows Server 2003. 

System Information for 
Windows 

Quite frankly, System Information for Windows 
(SIW) knocks my socks off. This simple, stand¬ 
alone utility can tell you nearly anything about 
an individual system—and I mean anything. 
Figure 2 shows SIW's main interface. Once 
you use this tool, you'll rarely ever go to My 
Computer and select Manage again. 

The sheer amount of system information that 
this utility can extract is amazing. Need to know 
your original Windows installation serial number 
and product keys? Want to see CPU or other 
ambient temperatures currently reported by your 
motherboard (assuming it's capable)? Need to 
find application license keys for a wide range of 
common off-the-shelf applications, above and 
beyond Microsoft products? Need to recover a 
password? SIW can accomplish all these tasks 
and report on a huge amount of data: 

• Software—OS, hotfixes, installed applica¬ 
tions (and applicable license keys, in many 
cases), current processes, open files, audio 
and video codecs 

• Hardware—motherboards, sensor data, 
BIOS, CPU, PCI/AGP, USB and ISA/PnP, 
memory, video card, monitor, disk drives, 
CD/DVD drives, SCSI devices, Self-Moni¬ 
toring, Analysis, and Reporting Technology 
(SMART) data, ports, printers 

• Network—network cards, shares, network 
connections, open ports 


r Interact 


To point your peers to great freeware, and to find 
some more terrific tools, join the Windows IT Pro 
forum discussion about “Useful Utilities” at 
http://forums.windowsitpro.eom/web/forum// 

messageview.aspx?catid=50&threadid= 

F] 

64379. 


SIW also offers password-recovery tools for 
revealing passwords hidden behind asterisks, 
product keys, and serial numbers, as well as 
real-time CPU, memory, page-file-usage, and 
network-traffic monitors. SIW is available for 
every version of Windows since Win98, includ¬ 
ing 64-bit versions and Windows Vista. Many 
thanks to Gabriel Topala for providing such a 
great free utility to the world. 

OCS Inventory NG 

Another project available at SourceForge, 
Open Computers and Software Inventory (OCS 
Inventory NG) has a larger architecture than 
our first two utilities do, but its goal is loftier: 


to provide detailed inventory data and pack¬ 
age management across an entire network of 
systems. Compatible client systems for OCS 
Inventory NG include Windows 2003/Vista/ 
XP/2000/Me/NT 4.0/98/95, HP-UX, IBM AIX, 
Linux and BSD, Macintosh OS X, and Sun 
Solaris. The utility's modular and scalable 
architecture makes it suitable for both small 
networks (of a few dozen devices) and large 
enterprise networks (of tens of thousands of 
devices). Figure 3 shows the main interface. 

The OCS Inventory NG architecture is com¬ 
prised of five major components: agents that 
reside on target devices, a database server to 
store collected information, a server to handle 
all communications between agents and the 
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Figure 3: OCS Inventory NG’s detailed inventory view 


database, a deployment server to store any 
packages that require network deployment, 
and a Web-based administrative console. You 
can install each component on its own server 
for high scalability, or you can place them all 
on the same system in smaller environments. 

The level of inventory data that OCS Inven¬ 
tory NG can collect is comprehensive (although 
not as comprehensive as that of SIW) and would 
make any systems administrator happy. All that 
data is easily available and up to date in a cen¬ 
tralized database. But in addition to providing 
capable network-inventory functionality, OCS 
Inventory NG includes package-deployment 
capabilities on client computers that are in the 
inventory system. From a Web-based adminis¬ 
tration server, you define packages that clients 
will download via HTTP/HTTPS. An optional 
OCS Inventory NG agent on client computers 
performs package execution. 

A deployment package has four primary 
components: priority , action, payload, and 
an optional launch command. The prior¬ 
ity component defines which packages take 
deployment precedent over others, and the 
action component describes what happens 
with the payload itself: simply copy it to the 
target system, copy and execute it, or use the 
launch command (external to the payload) to 
launch it on the system as a part of the deploy¬ 
ment. With enough time and creativity, you'll 
find OCS Inventory NG's package-deployment 
capabilities extremely useful. 


a PRTG 
H Traffic 
Grapher 

Paessler's PRTG Traf¬ 
fic Grapher takes 
much of its history 
from the original, 
open-source multi¬ 
router traffic grapher 
(MRTG) project, 
adding a consider¬ 
able amount of user 
friendliness to the 
solution. In this free¬ 
ware version, you can 
enumerate only three 
sensors, but given the 
simplicity of PRTG's 
setup process and 
the useful data it can 
provide, most admin¬ 
istrators will find the 
tool valuable even 
with only three interfaces. 

PRTG offers advanced capabilities that 
simplify the logging and graphing of perfor¬ 
mance data over time. Performance data 
can include bandwidth utilization, any 
SNMP-instrumented data, end-to-end LAN/ 
WAN latency monitoring, and traffic utiliza¬ 
tion per protocol type. PRTG collects the 
information on a set interval and logs it to 
its data stores so that you can easily monitor 
current and over-time network performance. 
Figure 4 shows PRTG's main screen while the 
tool is running and collecting data. 

PRTG's sensors have varying capabilities. For 
example, you can use SNMP—a low-overhead 
solution on the moni¬ 
toring station and on 
target devices—for 
lightweight WAN- 
bandwidth monitor¬ 
ing or for monitoring 
a number of other 
easily obtained SNMP 
counters (e.g., CPU 
utilization, memory 
utilization). However, 
if you need more 
traffic data, packet 
sniffing lets you log 
utilization data and 
break it down by pro¬ 
tocol type. Outside of 
the bandwidth, PRTG 


can also collect data from any SNMP-based 
counter and log it over time. PRTG also supports 
the concept of an "aggregate sensor/' which you 
can use to aggregate data for multiple individual 
sensors (e.g., measuring bandwidth utilization, 
but only across switch ports 2-7 instead of the 
entire switch). 

The installation process is quick and pain¬ 
less. Within five minutes, you can have the 
application downloaded and plotting data in 
your network. 


Security Tools 


Obviously, security of data and assets is 
vital to any IT organization. The free utili¬ 
ties I discuss here certainly don't represent 
a complete set of solutions to tackle all the 
data- and asset-protection complexities that 
organizations face today, but they're helpful 
tools for solving specific problems you might 
typically face. 


TrueCrypt 

Back in my consulting days, I usually managed 
simultaneous projects across a half dozen 
active clients. Plus, I needed to retain data and 
files for numerous additional clients. I had 
all this information on my laptop, and much 
of it was confidential. But even if it wasn't all 
confidential, it was my obligation to protect my 
clients' data if I took copies of it beyond their 
walls. I turned to TrueCrypt, another open- 
source project at SourceForge, as the answer for 
my data-encryption needs. The tool remains a 
rock-solid solution that I depend on today. Fig¬ 
ure 5, page 42, shows TrueCrypt's interface. 
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Figure 4: PRTG’s main interface 
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.INFRASTRUCTURE LOG 

_DAY 82: There are so many risks out there. So many things 
that can happen to our business: natural disasters, spikes 
in traffic, mergers. How do we prepare? One in three 
companies don’t recover from unplanned downtime. 1 Would we? 

_Gil has wrapped everything in the office with bubble wrap. 
Everything. Just to be safe. 

_DAY 83: Im preparing with IBM Business Resilience Solutions. 
IBM Business Continuity Services can help us assess our risks 
and design a proactive plan to deal with them. IBM Tivoli gives us 
the visibility to diagnose and fix infrastructure problems. 

And the robust availability features of the IBM System p™ give 
us maximum uptime. The future feels so much safer now. 

_No more bubble wrap. And I have to mail a package. Great. 



Take the business continuity assessment at: 

IBM.COM/TAKEBACKCONTROL/READY 
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Learning Path 


Find your free tools: 

LocatePC (http://www.locatepc.com) 

OCS Inventory NG (http://ocsinventory.sourceforge.net/index.php) 
PRTG (http://www.paessler.com/prtg/download) 

SIW (http://www.gtopala.com) 

SyncBack (http://www.2brightsparks.com) 

TrueCrypt (http://www.truecrypt.org) 

WinDirStat (http://www.windirstat.info or 

http://www.sourceforge.net/projects/windirstat) 

Wink (http://www.debugmode.com/wink) 

WINDOWS IT PRO RESOURCES: 

“8 Absolutely Cool, Totally Free Utilities,” InstantDoc ID 50122 
“Safeguard the Data on USB Storage Devices Without Spending a 
Dime,” InstantDoc ID 95235 

“A Bootable Network Security Toolkit,” InstantDoc I D 44409 
“6 Network Protocol Analyzers,” InstantDoc ID 42922 


i 

153 


TrueCrypt, which is available for Windows 
and several flavors of Linux, offers two types 
of encryption. First, TrueCrypt can create a 
virtual encrypted disk on your system that's 
stored in a .tc file somewhere on a file system. 
To Windows, the TrueCrypt disk image looks 
like just another file on the drive. You can back 
it up, copy it around your network, or carry it on 
a USB thumb drive. But once TrueCrypt is run¬ 
ning, you can mount and dismount these files 
as new volumes within Windows, then seam¬ 
lessly work on the files as easily as manipulating 
files on your C drive. All encryption occurs on 
the fly, with no other prompting or tweaking 
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Figure 5: 


TrueCrypt’s interface, with an encrypted volume 
mounted 


necessary. You can even format the 
encrypted volumes with NTFS so 
that you can hold large files in an 
encrypted volume. 

The second type of encryption 
is to have TrueCrypt automatically 
encrypt an entire device (e.g., hard 
drive, floppy drive, USB thumb 
drive)—although all data currently 
on the target device will be wiped 
out. In this scenario, all data on 
the target device will be encrypted 
and decrypted when TrueCrypt 
is running, and unusable when it 
isn't running. 

TrueCrypt supports a num¬ 
ber of advanced encryption 
algorithms, including some algo¬ 
rithms that are approved for US 
government classification lev¬ 
els—all the way up to Top Secret. 
The tool offers several helpful dialog boxes 
in each of its interfaces, removing a lot of the 
mystery and guesswork involved with encryp¬ 
tion. TrueCrypt is an extremely well-designed 
Windows application, supporting both 32-bit 
and 64-bit Windows, Vista User Access Control 
(UAC), and is digitally signed and certified by 
GlobalSign. 


LocatePC 

I often wonder why I never thought of writ¬ 
ing the LocatePC utility myself. It's a simple 
application with just one purpose: to email 
you whenever any private 
or public IP address in 
your system changes and 
to otherwise remain quiet 
and hidden. 

Why is that functional¬ 
ity so useful? You would 
use LocatePC primarily 
to aid in the recovery of 
stolen systems. Because 
LocatePC simply sits in 
the background and sends 
out email whenever an IP 
address changes, it can 
be beneficial if you're try¬ 
ing to track down a laptop 
that has been lost or con¬ 
fiscated from one of your 
employees during a busi¬ 
ness trip. The faster you get 
that asset back, the less risk 





of exposure you have. 

Every time Windows detects a pos¬ 
sible change in a system's IP information, 
LocatePC—which you can see in Figure 6— 
sends a detailed email message to an address 
that you predefine. This message includes 
information about every IP address in the 
system, the resolved public IP address of the 
system (which the tool gets by sending a 
test query to a public Internet site), a trace- 
route mapping to that same public system, 
logon details for any dialup networking connec¬ 
tions on the system (including phone numbers 
and usernames), and any hard-coded identify¬ 
ing information you configure for the host. 

You need to understand a few caveats. 
First, if a thief is smart enough to completely 
wipe out Windows before hooking up to 
the Internet, you're out of luck. Second, if the 
thief doesn't connect to the Internet or doesn't 
connect to a location that permits outbound 
SMTP connections, you're also out of luck. 
No solution is guaranteed. But considering 
LocatePC's simplicity and small size, it's a great 
security measure that takes only two minutes 
to set up. 

My only complaint is that LocatePC is never 
absolutely sure that something has changed. 
In my testing, I've determined that my home 
router has a tendency to blink offline for a 
minute every so often. When it does, as soon 
as the Wi-Fi interface comes backup, Windows 
thinks it has a new connection (even though 
the IP address is the same) and LocatePC 
sends me an alert message. I get a few of these 
per day. My simple solution to this annoyance 
was to create a custom mailbox on my mail 
server for all my LocatePC notices from all my 
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PCs and laptops. Hopefully, I'll never need 
to look through all that information to try to 
recover a stolen system. However, if misfortune 
strikes, I'll have a good chance of discovering 
the computer's location when it comes back 
online and LocatePC emails me. 

SyncBack 

For years, I'd been looking for a reliable file- 
synchronization utility to help me perform 
automated backups of my data across my net¬ 
work. After all, who needs tape or CD backups 
if disk space is so cheap that you can simply 
have one system back up to another? I've tried 
a number of solutions over the years—from 
open-source to commercial—but SyncBack is 
the only solution I've stuck with. 

SyncBack helps you easily back up (or 
synchronize) files to another location on the 
same drive, a different drive, a different stor¬ 
age medium (e.g., CD-RW, CompactFlash, 
USB thumbdrive), an FTP server, a network 
share, or a Zip archive. Unlike other utilities 
in this space that try to accomplish too much, 
SyncBack really nails its interface—which Fig¬ 
ure 7 shows—with an approach that's simple 
enough to follow but doesn't skimp on features 
or configuration options. 

I use this tool for daily, weekly, and monthly 
backups on my home network. By setting up 
three target directories on a removable 300GB 
USB 2.0 drive and using SyncBack's built-in 
scheduling capabilities (which populate the 
appropriate commands into the Windows 
scheduler service), I've created three backup 
profiles: one to run nightly at 5 p.m., one to run 
weekly at 3 a.m., and one to run on the first day 
of every month at 1 a.m.. I've selected a backup 
profile and instructed SyncBack to delete any 
files in the destination that aren't in the source. 


Now, I rest easy at night knowing that my data 
is backed up every single evening. These back¬ 
ups have saved me on more than one occasion 
when I've accidentally wiped out development 
code. By simply going to my always-up-to-date 
backups, I'm ready to go again. For absolutely 
critical files, I also have an offsite backup profile 
that delivers my files to an FTP server on the 
other side of the country. 

SyncBack also supports a sync profile (i.e., 
changes on both sides are replicated to each 
other), as well as the use of direct UNC path 
names. The tool also supports the use of FTP 
servers as destinations. SyncBack can ensure 
that certain applications are closed before run¬ 


ning its profiles and can email you the results 
of each profile it runs—or email you only when 
an error occurs while executing a profile. 

If you have file synchronization needs on 
your network that you haven't figured out a 
workable solution for, I would suggest you take 
a look at SyncBack and see if it will meet your 
needs. The amount of functionality available 
in the freeware version is impressive, and its 
execution is rock solid. 

Expand Your Toolkit 

I hope some of the utilities I've described can 
help you reduce the number of hours you 
spend every day on inventory/monitoring 
and security tasks. For one more fantastic util¬ 
ity—which didn't fit into this article's catego¬ 
ries—check out the "Screencasting with Wink" 
sidebar. Download all these tools and give 
them a try! In the meantime, I'll be keeping my 
eye out for more great free utilities. Check back 
next fall for a new batch. ^ 

InstantDoc ID 96628 
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Screencasting with Wink 

A lthough Wink doesn’t fit into this article’s inventory/monitoring and security categories, the 
utility is simply too good to pass up in an article about great free utilities. Wikipedia describes 
screencasting as “a digital recording of computer screen output, often containing audio narration.” 
Much like a screen shot refers to a static moment in time on a computer screen, a screen cast is a 
screen shown over a period of time—presumably with a goal of demonstration or instruction. 

With the explosion of Adobe Flash across the Web, and especially on sites such as YouTube, creat¬ 
ing and distributing interactive screencasts has never been easier. I’ve used commercial applications 
for this task in the past, which cost hundreds of dollars per instance, so it’s great to have a viable 
freeware alternative in the marketplace. Tools like this are great for short training videos (both internal 
and external) and product/service demonstrations that need to be repeated. 

Wink lets you record all of or a portion of your screen—including your mouse movements and 
keystrokes—into a real-time movie, then annotate that movie with audio from your PC’s inputs. 
After you record your Wink presentation, you can render the output as a Flash animation complete 
with an HTML page for displaying the resultant .swf file (best for Web distribution), a stand-alone 
.exe file, or as a PDF or other image-format file. (Personally, I’ve needed only the Flash and .exe 
outputs.) After the content has been rendered, it’s ready to be delivered to your target audience 
for consumption. 

Since I’ve built demos for all of my projects, I can’t begin to count how many training classes 
and managerial briefings I’ve been able to avoid or cut short. If you find yourself constantly dem¬ 
onstrating or explaining—visually—how a technology or concept works, you must look into Wink. 
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Microsoft's solution to application 
compatibility and manageability 


BY JOHN 
SAVILL 


'm always astounded by the sheer volume of technologies that exist just in the Microsoft 
infrastructure space. Deciding which technologies to make a priority, and determining 
which ones will make your life easier (including whether a technology might change 
how you manage and maintain your organization), is a constant process. 

As the sidebar “The Benefits of Application Virtualization," page 46, explains, recent 
advances in client and server management and OS virtualization have made software 
deployment easier than ever, but problems with application compatibility and man¬ 
ageability persist. Application virtualization lets you run applications locally, which 
prevents server-based computing's resource wastage, single points of failure, and limi¬ 
tation to working online. Microsoft's SoftGrid application virtualization solution provides a sandbox-type 
environment called SystemGuard that lets applications run on users' systems without requiring local OS 
installation. 



SoftGiid’s Virtual Environment 

SystemGuard is a virtual application environment that contains all the elements an application might 
need to access, such as files, registry information, COM objects, and environment information. Although 
SoftGrid-enabled applications don't require installation on the host OS, they do communicate with the 
OS in a controlled manner to avoid duplicating too much data in the virtualized space. 

As Figure 1, page 48, shows, the application communicates with what it sees as normal OS facilities 
within the SystemGuard environment, with full read and write access. SystemGuard then communicates 
with the actual OS, using strict controls. Configuration information can be read but never modified. 
Profile and document data can be changed in the OS, which lets you save data and maintain an 
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Feature I SoftGrid 


Hie Benefits of Application 
Virtualization 

I n the past few years, client and server management have changed dramatically. In the “old 
days,” file servers housed installation software, and administrators installed applications 
manually or used logon scripts to deploy them. Now, Active Directory (AD) and Group Policy 
let you more easily assign and publish applications to computers, and Microsoft Systems Man¬ 
agement Server (SMS) provides an even better solution, with more granular and sophisticated 
software deployment and progress reports. 

Although these technologies help deploy software, application compatibility and manageability 
concerns remain. (For example, how do you patch an application? Will the application work if 
another application is installed? Is the application compatible with Vista?) Whenever you install an 
application, components are registered to the machine; executable files, DLLs, and other files are 
copied to the file system; and information is written to the registry. When you upgrade or uninstall 
an application, information is left behind. Overtime, computers become polluted with leftover files, 
registry information, and registered components that can cause compatibility problems. 

Virtualization has also improved recently. Traditionally, OS virtualization has been useful for two 
key scenarios: consolidation and testing. In the past, each major application ran on its own server, 
which was expensive from both a hardware and a licensing perspective. Now, virtualization lets 
you run multiple “sandboxed” OSs on one physical server. Application compatibility problems don’t 
occur because although several applications are running on a server, each application is running 
on a virtual OS, with its own hard disk, registry, processor, and memory resources. For testing, 
virtualization lets you run multiple OSs (e.g., Windows XP, Windows 2000 Server, Windows 95, 
and Vista) all on the same system, as well as run multiple test environments concurrently. 

Running applications in a virtual OS sounds like it would solve any application compatibility 
problems—which might work for one application, but what about ten? You need to consider the 
overhead, memory usage, and disk space required. In addition, you must manage, patch, and 
protect each OS instance. And although applications are sandboxed in the OS, the OS’s entire 
environment is also sandboxed, which makes it difficult to save documents or data created in the 
application to the host computer’s local file system. 

The best solution is to virtualize applications, which lets each application run locally on the 
computer. This solution is different from terminal server-style application publication (also known 
as server-based computing), in which applications run on the terminal server, with output sent to 
users’ computers. In server-based computing, single points of failure occur because applications 
reside on the terminal server. In addition, resources are wasted because the workload occurs on 
the terminal server, while users’ computers sit idle. Also, users who are working offline can’t run 
any applications that are hosted on a terminal server. 

Application virtualization prevents these problems. A virtualized application runs on the user’s 
machine like a regular application, but in a sandbox environment that prevents installation to the 
local OS. Microsoft’s SoftGrid is an application virtualization solution. 

InstantDoc ID 96626 


application's environmental preferences 
between sessions. 

The virtual environment consists of several 
virtual elements for OS areas that applications 
use. For example, the Virtual Registry works 
as an overlay to the actual OS registry. If an 
application tries to read from the registry and 
the registry data isn't in the Virtual Registry 
overlay, the read request is passed to the OS, 
as Figure 2, page 48, shows. Write requests are 
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always made into the Virtual Registry overlay. 
The same process works for the Virtual File 
System. For example, this overlay ensures 
that dynamic link libraries (DLLs) used by an 
application are always read from the System- 
Guard environment first to avoid any conflicts 
with local versions. If an application relies 
on a service, the Virtual Services component 
lets the service function within SystemGuard, 
unknown to any other application running on 


the OS. Virtual subsystems also exist for the 
COM environment, .ini files, process environ¬ 
ment, and fonts. 

Overhead 

SoftGrid's SystemGuard adds less overhead to 
your environment than you might think. Other 
than the disk space used to cache the applica¬ 
tion, which is generally less than for a locally 
installed application, a virtualized applica¬ 
tion uses less than 1 percent more CPU than 
a nonvirtualized application. This is because 
most of the additional processor usage occurs 
when SystemGuard first initializes and an 
application opens, not while the application 

A virtualized 
appEcalion uses 
less than I percent 
more CPU than a 
nonvirtualized 
appEcalion. 

is running. In addition, memory usage is actu¬ 
ally lower for running virtualized applications 
versus nonvirtualized applications. 

Memory overhead can be broken down 
into paged pool and nonpaged pool. Most 
applications operate within paged pool mem¬ 
ory. Paged pool content can be paged to disk 
as necessary, and the memory used for a vir¬ 
tualized application is the same as for a locally 
installed application. The only additional 
memory used is 20MB for the SoftGrid client. 
Nonpaged pool memory is used for important 
OS information that can't be paged to disk. 

Configuration data (e.g., registry data) is 
typically pulled into the kernel during com¬ 
puter start-up. As applications are installed, the 
registry grows and takes up more space, lead¬ 
ing to longer boot times (for HI<EY_LOCAL_ 
MACHINE and HKEY_CLASSES registry areas) 
or longer logons (for HKEY_CURRENT_USER 
areas). 

For SoftGrid applications, nothing is written 
to the machine registry. Information needed by 
the application is loaded at runtime as neces- 


We’re in IT with You 


www.windowsitpro.com 







Drive Business Performance with 



IPs t New lay fir Bnsiatss kMtKgnm! 

Effective performance management and financial planning can help you 
drive better performance for your business. Come learn how companies like 
yours, and Microsoft itself, are benefiting from an integrated monitoring, 
analysis and financial planning application. 

Durii^ihis one-day, free eventyoul hear Imw Microsoft Office Performance Point 
Server 2007 helps make your business better in four key ways: 

• Improve business performance with an integrated application for 
monitoring, analyzing and planning 

• Drive alignment and accountability across the entire organization 

• Enable more decision makers to impact the performance of the 
business 

• Ensure transparency, security and auditability with an enterprise 
grade performance management solution 


Date: September 20,2007 in New York City 


Who Should Attend 

• CFOs 

• CEOs 

• CIOs 

• CTOs 

• IT Directors/Managers 

• Business Intelligence Architects/Directors 

You will experience PerformancePoint’s capabilities firsthand and learn how 
your own Key Performance Indicators (KPIs) can be integrated into score- 
cards, dashboards, and other analytics to improve business performance. 



Learn from the Experts: 



Partners, is the 
co-author of the New York Times 


Speaker Michael 
Treacy, Chief 
Strategist and Co¬ 
founder of GEN3 


bestselling book, “The Discipline 
of Market Leaders.” 


Speaker Peter 
Klein is corporate 
vice president and 
CFO of Microsoft’s 
Business Division 
(MBD), overseeing the financial 
performance of the businesses that 
comprise the Business Division. 



How Can I Improve Performance 
and Accountability within My 
Organization? 

Get in-depth business ses¬ 
sions, technical sessions 
and third-party solutions 
from key Bl vendors. Attend¬ 
ees earn a chance to win an 
Xbox 360, Bose SoundDock 
system, and other prizes. 
Register today! (But hurry, 
seating is limited.) 


Register today at: 
windowsitDro.com/go/Diis 







Feature I SoftGrid 



Application communication within the SystemGuard 
environment 


Operating System 



Figure 2: SystemGuarcTs Virtual Registry and the OS registry 


sary. Imagine having 40 applications installed 
locally but running only 10 of them—the 
registry would bloat significantly as nonpaged 
pool memory was used up. Running virtual¬ 
ized applications saves 75 percent of nonpaged 
pool memory. 

Network bandwidth is also saved because 
SoftGrid pulls virtualized applications and 
components to the client on demand. Initially, 
the client has just an application's shortcut 
icon on the desktop. When an application is 
used, SoftGrid pulls the application down in a 
sequenced form, allowing very fast application 
start-up. Only the parts of the application that 
are needed are pulled down, which uses less 
disk space on the client. 

Another interesting benefit is that when 
you use SoftGrid with terminal servers, the 
“therapeutic reboot" isn't necessary. SoftGrid 
has a highly contained execution footprint 
and performs an efficient garbage collection 
process when an application closes. 

SoftGrid Components 

The SoftGrid suite has five major components 
that let you create SystemGuard applications 
and deploy them to clients. 

1. System Center Virtual Application 
Server—Streams SoftGrid-enabled applica¬ 
tions to clients and verifies whether a client is 
authorized for an application. 

2. SoftGrid Data Store—Stores information 
about the SoftGrid environment. 

3. SoftGrid Management Web Service— 
The interface between the SoftGrid Manage¬ 
ment Console and the SoftGrid Data Store. 
Uses Microsoft .NET Framework 1.1 or later 
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and requires Microsoft IIS 5.0 or later with ASP 
.NET extensions enabled. 

4. SoftGrid Client—A locally installed ser¬ 
vice running on a user's machine that com¬ 
municates with the virtual application server 
to receive the streamed application and cache 
it for use even when the client isn't connected 
to the network. The client also contains the 
SystemGuard environment for runtime virtual¬ 
ized application execution. 

5. SoftGrid Sequencer—A wizard-based 
tool that's used to create a streamable applica¬ 
tion from the original application media. This 
process will be familiar to users of software 
such as WinINSTALL, which creates a .msi 
file based on installing an application. The 
sequencing of an application actually consists 
of three phases: the package configuration, 
which is an information gathering stage; the 
application installation, during which the wiz¬ 
ard monitors the OS for changes the appli¬ 
cation makes during installation, including 
file-system changes, component registration, 
and registry changes; and the actual launching 
of the application, which is important because 
on first use SoftGrid prioritizes the data to 
stream to the client based on what is first used 
when the application starts (known as Feature 
Block 1—FBI—of the stream) rather than 
waiting for the entire stream to send before the 
application can start. 

Additional components are available that 
integrate with Microsoft's System Center Con¬ 
figuration Manager (SCCM) solution to let 
you use SCCM for distribution. In addition, 
a separate client is designed for terminal 
server-type environments (including Citrix). 


Although I don't have space to discuss these 
components, you should be aware of them in 
case you use SCCM or terminal servers in your 
environment. 


Installation and 
Configuration 

The first step in using SoftGrid is to install 
the System Center Virtual Application Server 
component, which has reasonable software 
and hardware requirements. A data store 
is required for storing information such as 
application usage, licensing, and server con¬ 
figuration. The data store can be hosted on 
SQL Server 2005 or SQL Server 2000, as well 


Learning Path 


WINDOWS IT PRO RESOURCES: 

To learn more about SoftGrid: 

“Softricity SoftGrid 3.1,” InstantDoc ID 46974 

To learn more about virtualization: 

“Don’t Miss the Virtualization Boat,” InstantDoc ID 
47883 

“Server Virtualization Basics,” InstantDoc ID 50236 
“Server Virtualization Options,” InstantDoc I D 50641 

MICROSOFT RESOURCES: 

To learn more about SoftGrid: 

Microsoft SoftGrid Application Virtualization 
http://www.microsoft.com/systemcenter/softgrid/ 

default.mspx 


To learn more about virtualization: 

Windows Virtualization 
http://www.microsoft.com/whdc/system/ 

platform/virtual/default.mspx 



We’re in IT with You 


www.windowsitpro.com 








































JOIN US THIS FALL IN LAS VEGAS AT THE 
CUTTING-EDGE EVENT FOR IT PROFESSIONALS! 

Over 240 in-depth sessions from Microsoft and industry 
experts, 150 speakers, and exciting announcements! 



CONNECTIONS RAISES THE BAR 
FOR IT CONFERENCES, DELIVERING: 

■ Expert Speakers 

■ Unparalleled Workshops 
Hot Location 

■ The most relevant, up-to-date content 
on the eve of Visual Studio 2008 
and Windows Server 2008 

NOVEMBER 5-8, 2007 




MICROSOFT 

E (CHANGE 

Connections 

2007 


WINDOWS 

Connections 

2007 


LAS VEGAS, NEVADA 


Mandalay Bay Resort and Casino 



haL 


Co-located with 

Microsoft ASP.NET Connections 
Visual Studio & .NET Connections 
Architect Connections 
SOL Server Magazine Connections 
Mobile Connections 
OpenForce 07' 






WmConnections.com 


SharePoint 

Connections 

2007 


Office 

Connections 

2007 


REGISTER TODAY! 


- 505-1201 1 203 - 268-3204 



Microsoft e WindowsITPro TechNet 


PENTON MEDIA 


























IMMERSIVE EDUCATION FROM 
MICROSOFT AND THE WORLD'S 
TECHNOLOGY EXPERTS 


■ Choose from over 240 in-depth, no-hype sessions 
delivered by Microsoft and industry experts 

■ Get the scoop from Microsoft and independent, world- 
renowned experts in one event: the most well-rounded 
perspective of any technology event 

■ The best blend of sessions: where novice means novice 
and advanced means advanced 

■ Unique, hands-on Exchange troubleshooting, PowerShell, 
and virtualization workshops 

■ Learn the tips and tricks it takes to make the technology 
work based on real-world experience, not product 
marketing hype 

■ Dive into our highly focused pre- and post-conference 
workshops on Exchange, SharePoint, deployment, 
virtualization, security, Group Policy, and advanced 
Windows administration 

■ Explore the partner exposition, pick up great giveaways, 
and enter the contest to get the chance to drive home on a 
Harley-Davidson motorcycle 

■ Gain insights from hundreds of other participants who 
represent experienced IT professionals from a wide range of 
industries and enterprises 

■ Unwind and network with your peers at Mandalay Bay 
Resort and Casino. 
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SCHEDULE AT A GLANCE 


SUNDAY, NOVEMBER 4, 2007 j 

8:00 am 

- 11:00 am 

Pre-conference Workshop 

Registration ONLY 

9:00 am 

- 4:00 pm 

Pre-conference Workshops 

MONDAY, NOVEMBER 5, 2007 

7:00 am 

- 5:00 pm 

Conference Registration 

9:00 am 

- 4:00 pm 

Pre-conference Workshops 

6:30 pm 

- 8:30 pm 

Microsoft Executive Keynote 

8:30 pm 

- 10:30 pm 

Expo Hall/Dessert Reception 

TUESDAY, NOVEMBER 6, 2007 • MICROSOFT DAY | 

7:00 am 

- 5:00 pm 

Conference Registration 

7:00 am 

- 8:00 am 

Continental Breakfast 

8:00 am 

- 9:00 am 

Keynote 

9:30 am 

- 10:30 am 

Conference Sessions 

10:45 am 

- Mam 

Conference Sessions 

11:45 am 

- 1:30 pm 

Lunch 

1:30 pm 

- 2:30 pm 

Conference Sessions 

2:45 pm 

- 3:45 pm 

Conference Sessions 

4:15 pm 

- 5:15 pm 

Conference Sessions 

5:15 pm 

- 6:30 pm 

T-Shirt/Software Giveaway 

WEDNESDAY, NOVEMBER 7, 2007 | 

7:00 am 

- 5:00 pm 

Conference Registration 

7:00 am 

- 8:00 am 

Continental Breakfast 

8:00 am 

- 9:15 am 

Conference Sessions 

10:00 am 

- 11:15 am 

Conference Sessions 

11:30 am 

- 12:45 pm 

Conference Sessions 

12:45 pm 

- 2:15 pm 

Lunch 

2:00 pm 

2:15 pm 


Harley-Davidson Drawing in the Expo Hall 

Expo Hall Closes 

2:15 pm 

- 3:30 pm 

Conference Sessions 

4:15 pm 

- 5:30 pm 

Conference Sessions 

THURSDAY, NOVEMBER 8, 2007 1 

7:00 am 

- 8:00 am 

Continental Breakfast 

8:00 am 

- 9:15 am 

Conference Sessions 

9:30 am 

- 10:45 am 

Conference Sessions 

11:30 am 

- 12:30 pm 

Conference Sessions 

12:30 pm 

- 2:00 pm 

Lunch 

2:00 pm 

- 3:00 pm 

Conference Sessions 

3:00 pm 

- 3:30 pm 

Ice Cream Break 

3:30 pm 

- 4:15 pm 

Closing Session 

FRIDAY, NOVEMBER 9, 2007 | 

9:00 am 

- 4:00 pm 

Post-conference Workshops 

SEE WEB SITE FOR THE LATEST 
SCHEDULE UPDATES. 
www.WinConnections.com 
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Exciting Microsoft Executive Keynote to be announced! 

ck Web site Aug 1 for more details) 


MAKING THE TRADEOFF: BE SECURE OR GET WORK DONE 

STEVE RILEY MICROSOFT 

Are you the kind of security person who enables a setting just because it's there? Do 
your users constantly seek ways to bypass all your fine-tuned security, just so they can 
do their jobs? Every security decision your organization makes ought to consider the 
security-usability (or even the security-usability-cost) tradeoff. While perfect security 
seems an admirable goal, in reality we must remember that usability often will trump our 
strongest desires. If people can't get work done, they'll either circumvent the security 
(without understanding they just created new attack vectors) or your company will sim¬ 
ply lose out to your competitors. Steve Riley will discuss several examples of real-world 
tradeoffs and will help you learn how to navigate the tradeoff in your own organization. 

LIVING THE LONGHORN LIFE: 

WHAT'S UP WITH WINDOWS SERVER 2008 

MARKMINASI MR&D 

Microsoft released the new desktop, Windows Vista, in November 2006... but that's 
just the start. A new version of Server's right on its heels-formerly code-named 
"Longhorn Server,'' it'll be named Windows Server 2008, and it will pack a ton of new 
stuff, from some really good news in Active Directory to some nifty new deployment 
tools, a guarantine system that'll help you keep the worm-ridden systems off of your 
network, a revamped Web server, and a few truly long-awaited changes in group policy. 
How can you find out about all of this? Well, you could download a few terabytes worth 
of white papers and start sifting through them to separate the wheat from the chaff, or 
you could attend this short session by Mark Minasi, the guy who's been explaining new 
operating systems since Windows 1.0. Come to this session and find out why Server Core may be your favorite 
new piece of software! 


NEXT GENERATION MESSAGING 

TONY REDMOND HP 

Microsoft Exchange 2007 is very different to the generations of Exchange that have 
gone before and forces administrators to consider new ways of deploying the Exchange 
ecosystem onto a Windows 64-bit platform. All we can guarantee about technology is 
that change will continue to occur or even accelerate as new hardware and software 
technologies influence the design decisions that groups like the Exchange engineering 
team make as they work on new versions of Exchange to appear in the 2010-2015 time- 
frame. This session discusses some of the technology directions that may influence the 
way that Exchange evolves, including virtualization, mobility, information lifecycle man¬ 
agement, unified communications, automation, and software as a service. 






THE FUNGIBLE FUTURE: THE CREATION OF COOL AND 
CONSUMERIZATION OF I.T.: A PANEL DISCUSSION 


ROMI MAHAJAN MICROSOFT 

As the pace of change increases in the world of information technology, job-roles, per¬ 
sonas, affinities, and alliances change just as rapidly. Ultimately, lines of distinction 
blur between the roles of IT professionals and developers, between "work-related" 
technologies and "consumer" technologies, between work-time, play-time, and home¬ 
time. In addition, there is a strong relationship and even a causal link between what 
we think is cool and what we ultimately buy at home with what we think is relevant 
and what we ultimately buy to run our enterprises. As these lines blur, we find that we 
are in a world in which the old distinctions melt: the fungible future is upon us now! 
Please join a renowned panel discussing these trends and helping us all determine what are the next big 
trends that disrupt and the next steps in the creation of cool. 



SESSIONS AND SPEAKERS ARE SUBJECT TO CHANGE. SEE WEB SITE FOR UPDATES AND ADDITIONAL SESSIONS. 

www.WinConnections.com 
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It's the all-new, re-architected, more powerful messaging 
and groupware platform from Microsoft: Exchange Server 
2007! Packed with new features, new architectural 
options, and new capabilities, Exchange Server 2007 is 
also the first fully automatable and command-line-man¬ 
aged server product from Microsoft, leveraging the 
Windows PowerShell shell and scripting environment. Rely 
on Exchange Connections to connect you with the most 
respected and relied-upon subject-matter experts in the 
world for Exchange Server 2007. Come to Exchange 
Connections to: 

■ Learn about new architecture options in Exchange Server 2007, including 
ways of scaling out your Exchange Server environment bigger and better 
than ever before. 

■ Discover how Exchange Server 2007 works under-the-hood, including data 
management, engine details, troubleshooting and disaster recovery, and 
much more. 


■ Learn about deployment and migration techniques and issues, making your 
Exchange Server 2007 migration and deployment easier, safer, and faster. 

EXCHANGE CONNECTIONS COVERS THE 
TECHNOLOGIES YOU NEED: 


DISASTER RECOVERY 

Continuous Backup 
Standby Cluster 
Recovery 

Online Backup Recovery 

SECURITY 

Sender ID 

Creating and Testing Mail 
Hygiene 

TROUBLESHOOTING 


MIGRATION AND 
DEPLOYMENT 

Migration Issues 
Deployment Techniques 
Performance 
Optimization 

END-USER FEATURES 

Client Access Server 
Small Business Mobility 
Getting Rid of PSTs 


■ Provide your users with anywhere e-mail access through an all-new Outlook 
Web Access, mobile e-mail access, and much more. 

■ Keep your Exchange Server 2007 environment secure with information on 
internal security, antivirus, anti-spam, and other measures that keep your 
environment and your users safer. 


Troubleshooting 
Message Flow 
Troubleshooting DNS 
Advanced SMTP 
Troubleshooting 


MICROSOFT SYSTEM CENTER DATA PROTECTION MANAGER 
(DPM) 2007: HOW TO PROTECT MICROSOFT EXCHANGE SERVER 

Currently in beta, DPM 2007 is designed to provide a best-of-breed protection and 
the most robust, reliable recovery experience for Exchange Server, SQL Server, 
and SharePoint. This session focuses on the specifics of how DPM protects 
Exchange, including 2003 servers and 2007 CCR and LCR clusters. The session 
covers specifically how Exchange storage groups and mailboxes are protected 
and what functionality is available for restore. Be the first to see how DPM 2007 
beta 2 protects Exchange and other Microsoft server platforms. 


MICROSOFT EXCHANGE 2007 ARCHITECTURE AND DESIGN 
AT MICROSOFT 

Ever wondered how a large enterprise plans and implements design and archi¬ 
tecture of its next generation of messaging system? Join us in this session where 
engineers from the Microsoft IT messaging team uncover the details on how 
Exchange 2007 infrastructure was introduced and fully deployed in a 120,000+ 
mailbox production environment. Topics include: messaging topology design, 
hardware planning for various Exchange server roles, client access server (CAS) 
and mobility scenarios, transport architecture, mailbox server and storage 
designs, backup, restore, and high availability strategies. 


EARLY LOOK AT EXCHANGE 2007 SP1 

Interested in learning about the new features and capabilities available in 
Exchange Server 2007 SP1? This session takes a look at the continued invest¬ 
ments made in Outlook Web Access, increased availability models, and new 
management tasks such as Public Folder administration built into the 
Exchange Management Console. 

GETTING STARTED WITH MICROSOFT EXCHANGE SERVER 2007: 
SIMPLE INSTALLATION, SETUP, AND ADMINISTRATION SCENARIOS 

Exchange Server 2007 is now built on standard Microsoft installer so that you can 
take advantage of patching services such as the Software Update Service (SUS). 
This includes new server roles for flexible deployment of the topologies you 
require and the power to automate installation. These are just some of the new 
advancements in the Exchange Server 2007 set-up experience. This is a must-see 
session for a high-level overview and walkthrough of how you will be deploying 
Exchange 2007. 

SESSIONS AND SPEAKERS ARE SUBJECT TO CHANGE. 

SEE WEB SITE FOR UPDATES AND ADDITIONAL SESSIONS. 


MICROSOFT WINDOWS POWERSHELL SCRIPTING 
FOR MICROSOFT EXCHANGE SERVER 2007 

This session covers the new Windows PowerShell-based Exchange cmdline and 
scripting interface. Learn how to convert your multiple page Visual Basic and 
COM scripts to mere one-liners in Exchange 2007. This session covers the basics 
of the management shell, as well as the underlying design and key concepts. 
Additionally, it goes into more depth on how to build larger scripts that you 
can use to automate small, medium, as well as enterprise business scenarios. 

HIGH AVAILABILITY IN MICROSOFT EXCHANGE SERVER 2007 
AND EXCHANGE SERVER 2007 SERVICE PACK 1 

E-mail has become mission-critical for the large and the small. Businesses and 
organizations of all types can no longer afford the extended outages of disas¬ 
ters like failed disks, corrupt databases, failed servers, or power outages. 
Exchange Server 2007 provides simplified in-the-box HA solutions that make 
recovery from many disasters barely noticeable to end users. Learn how Local 
Continuous Replication, Cluster Continuous Replication, Standby Continuous 
Replication, and Single Copy Clusters provide fast recovery for events that 
used to be called disasters. 
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THE PRACTICAL DO'S AND DON'TS IN DISASTER RECOVERY 
FOR MICROSOFT EXCHANGE SERVER 2007 

What do you do when a disaster such as component failure, power outage, oper¬ 
ator error, malicious activity, or natural disaster out-strips your Exchange 2007 
high availability solution? How do you minimize the impact of the disaster and 
resume business operations as quickly as possible? This session covers practical 
techniques you can use to recover from system faults, operational best practices 
that enable business continuity, and barriers to availability and recovery to 
watch out for. 

MICROSOFT EXCHANGE SERVER 2007: TIPS AND TRICKS 

This session focuses on troubleshooting tips and tricks for the most common 
Exchange Server 2007 symptoms encountered by Microsoft Customer Service 
and Support. These symptom areas include: mailflow, disaster recovery, and per¬ 
formance. The session touches on the capabilities and use of the Exchange Best 
Practices Analyzer and Database/Mailflow/Performance troubleshooters. 
Moreover, the session provides additional tips and tricks beyond the capabilities 
of those tools. 

UNIFIED COMMUNICATIONS 


ADDING VOICE TO THE ENTERPRISE: THE NEW CAPABILITIES OF 
MICROSOFT OFFICE COMMUNICATIONS SERVER 2007 AND 
OFFICE COMMUNICATOR 2007 

Be the first to discover the new capabilities of Office Communications Server 
2007 and Office Communicator 2007, which will transform the IM, presence, voice, 
and conferencing scenarios. 

MICROSOFT OFFICE COMMUNICATIONS SERVER 2007: 

A LOOK AT ITS ARCHITECTURE AND DESIGN 

This session provides an overview of Office Communications Server (OCS) capabil¬ 
ities, architecture, and topologies. This includes an overview of all infrastructure 
investments in the OCS 2007 server release, spanning presence, conferencing, 
voice, and manageability. Next, it drills into the architectural building blocks of 
OCS, providing a comprehensive overview. Finally, it describes the typical topolo¬ 
gies for OCS in different classes of customer environments, including aspects of 
scale, external access, and geographical distribution. 



REGISTER TODAY ■ 800-505-1201 ■ 203-268-3204 


ON-PREMISE CONFERENCING: DELIVERING ENTERPRISE-CLASS 
VOICE, VIDEO, AND WEB CONFERENCING WITH MICROSOFT 
OFFICE COMMUNICATIONS SERVER 2007 

This session describes the conferencing capabilities of Office Communications 
Server (OCS) 2007, explains the infrastructure needed to deliver conferencing 
capabilities with OCS, and the best practices to plan and deploy the conferencing 
capabilities of OCS 2007. 

PLANNING AND DEPLOYING MICROSOFT OFFICE COMMUNICATIONS 
SERVER 2007 AND OFFICE COMMUNICATOR 2007 

A new range of deployment configurations of Office Communications Server (OCS) 
2007 can now support everything from high availability and scalability require¬ 
ments, to high availability and simplicity requirements, to the need for economi¬ 
cal and simple deployment. This session talks about how you can plan to deploy 
these configurations for companies from 1000 users to one-million users across 
one or multiple locations. Learn how to control the OCS 2007 capabilities delivered 
to an individual user or a set of users and manage Office communicator client ver¬ 
sions in your enterprise. 

MIGRATING FROM MICROSOFT OFFICE LIVE COMMUNICATIONS 
SERVER (LCS) 2005 TO OFFICE COMMUNICATIONS SERVER 
(OCS) 2007 

This session provides you with up-to-date information on the tools and guid¬ 
ance you need to move from, and co-exist with LCS 2005 SP1 to OCS 2007 plat¬ 
form. The session covers recommended deployment strategies for servers and 
clients when migrating from LCS 2005 SP1 to OCS 2007. We'll discuss planning 
aspects when deploying OCS 2007 to co-exist with LCS 2005 SP1 and transition¬ 
ing to enhanced presence. 

VOICE AND VIDEO IN MICROSOFT OFFICE COMMUNICATION 
SERVER 2007: INSIGHTS TO QUALITY OF EXPERIENCE AND 
PLANNING FOR NETWORK BANDWIDTH USAGE 

Come to this session to learn about how OCS will deliver the best possible quali¬ 
ty of experience without requiring QoS on any network, anytime, anywhere. Learn 
about the comprehensive approach that combines adaptive end-points measur¬ 
ing the experience for all calls at all times, and an advanced media stack that can 
correct network and non-network impairments. 
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EXC16: ADVANCED EXCHANGE 
PROTECTION USING DATA 
PROTECTION MANAGER 
DEVIN L. GANGER 

Backing up and restoring Exchange servers is an 
essential part of keeping your messaging infra¬ 
structure up and running, even when you're run¬ 
ning an advanced clustering configuration. Why 
should you consider using the new version of 
Microsoft System Center Data Protection Manager 
("v2") to protect your Exchange server clusters? Is 
it any harder than backing up standalone servers? 
This session covers protecting Exchange 2003 and 
2007 servers clustered configurations, including 
the new Exchange 2007 replication options. 

EXC02: BEST PRACTICES FOR EXCHANGE 
2007 CLUSTERED MAILBOX SERVER 
(CMS) DEPLOYMENTS 
DARAGH MORRISSEY 

This session describes how you can deploy 
Exchange 2007 in scenarios where high availability 
is a key requirement. This session covers the 
following topics: 

■ Overview of Exchange 2007 
Clustered Mailbox Servers 

■ Overview of CCR 

■ Deployment requirements 

■ Deployment best practices 

■ Managing CMS and CCR with PowerShell 

■ Monitoring CMS with the Exchange 2007 
Management Pack 

■ Managing your CMS deployment 
with PowerShell 

EXC10: BEYOND THE ETHICAL 
WALL: USING EXCHANGE 2007 
TRANSPORT RULES 
CHRIS SCHARFF 

Most discussions of the new transport rules begin 
and end with an example of using the new trans¬ 
port rules interface in Exchange 2007 to implement 
an ethical wall. This session will explore additional 
examples where you can use transport rules in a 
broad cross-section of organizations. 

EXC20: CONTINUOUS DATA 
PROTECTION FOR EXCHANGE 
PAUL ROBICHAUX 

Exchange makes full use of both conventional and 
point-in-time backup technologies. However, many 
administrators want more! This session will explain 
the underpinnings of continuous backup solutions 
from Microsoft and third-party vendors for 
Exchange 2003 and Exchange 2007 so you can 
choose an appropriate solution for your needs. 
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EXC06: CRASH COURSE TO EXCHANGE 
SERVER 2007 CLUSTER CONTINUOUS 
REPLICATION 

JUERGEN HASSLAUER 

If you managed to get around deploying Exchange 
clusters in the past and preferred running 
Exchange on single servers, now is the right time to 
reevaluate the pros and cons of clustering 
Exchange. Attend this session and you will get a 
fast start to CCR. You will learn the architecture of 
Windows failover clustering and the things you 
need to know about a Majority Node Set cluster. I 
will discuss what you have to consider for a geo¬ 
graphically dispersed deployment of CCR and how 
to manage CCR. You will learn in one session what 
others have learned the hard way. Additionally, I 
will provide an outlook to the options Windows 
Server 2008 will provide. 

EXC13: EXCHANGE 2003: 

BEST PRACTICES DAY BY DAY 
JIM MCBEE 

What should you be doing on a daily basis to keep 
your Exchange servers stable and running optimal¬ 
ly? Topics in this session include the basic tasks 
that you should perform on every Exchange 2003 
server and events to watch for in the event logs. 
What can you do to improve your Exchange opera¬ 
tions, customize your operations, and tweak 
Exchange to meet the requirements of your organ¬ 
ization? Also covered are some ''worst 1 ' practices in 
Exchange management such as ''over administer¬ 
ing 1 ' the Exchange server and common configura¬ 
tion mistakes. 

EXC08: EXCHANGE 2007 
AND COMPLIANCE 

KIERAN MCCORRY 

Exchange 2007 allows you to implement various 
e-mail policies that can help you meet your com¬ 
pliance and records management needs. How 
does this technology work and what considera¬ 
tions do you need to have to make sure your 
users take advantage of them? This session will 
cover the major advancements in this area high¬ 
lighting how you can make the best use of these 
technologies. 

EXC04: EXCHANGE 2007 DESIGNING 
FOR UNIFIED MESSAGING 
ANTHONY VITNELL 

The Exchange 2007 Unified Messaging role has 
introduced a completely new concept for Exchange 
Administrators. This role introduces new design cri¬ 
teria such as telephony integration, dial plans, and 
linguistic issues that you must address. In this 
deep-dive session I will build on real customer 
experiences and walk through the Unified 
Messaging design requirements, explain what hap¬ 
pens when the UM server receives a call, and look 


at deployment architectures. In addition, I will dis¬ 
cuss the limitations of the Unified Messaging role 
and provide strategies to work around these limita¬ 
tions. At the conclusion of this session you will have 
the knowledge required to design the Unified 
Messaging role for your organization. 

EXC14: EXCHANGE 2007 FOR 
EXCHANGE 2003 ADMINISTRATORS 
JIM MCBEE 

There has been a lot of hype and media attention 
surrounding Exchange 2007. The Exchange com¬ 
munity had their first look at Exchange 2007 in the 
summer of 2006. But what does the release of 
Exchange 2007 mean to your users and you as an 
Exchange 2003 administrator? 64-bit hardware 
support, a revamped user interface through a new 
graphical user interface or Monad scripts, contin¬ 
uous replication, resource mailbox support, Edge 
services, improved mobile support, and unified 
messaging will all affect the way you manage your 
Exchange organizations and the services you pro¬ 
vide to your user community. Topics in this ses¬ 
sion will include: 

■ Determining a migration / upgrade path to 
Exchange 2007 from your current Exchange 
environment 

■ Implementing e-mail lifecycle management 

■ Implementing Outlook 2007 using 
the auto-discovery service 

■ Reviewing the new Exchange server roles 

■ Using new features for virus protection, 
spam reduction, and content filtering 

■ Using the new Exchange Management 
Console and Monad scriptlets 

■ Using local continuous replication 
to improve availability 

■ Implementing Exchange Edge services 

■ Reviewing new unified messaging features 

■ Taking advantage of resource mailboxes 
and the scheduling assistant 

EXC07: EXCHANGE MAILBOX 
SERVER SIZING 
JUERGEN HASSLAUER 

Exchange Server 2007 is now a 64-bit application 
and it removed scalability boundaries of its 32-bit 
predecessor. No more kernel memory limits and 
heavily reduced storage performance require¬ 
ments. Can I now host 10,000 users with 2 GB 
mailboxes on one mailbox server? Should I give 
back my expensive SAN array and buy a few 
cheap large capacity disks for a direct attached 
storage box? Continuous replication looks great, 
should I drop the best practice to run daily full 
backups and put all my faith in the database 
replica? This session will provide answers to 
these questions that reappeared during each 
Exchange Server 2007 migration workshop. This 
session will also discuss rules of thumb for sizing 
your Exchange servers and share the findings 
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from the first production deployments in corpo¬ 
rate environments. 

EXC17: EXCHANGE MANAGEMENT 
SHELL ANNOYANCES 
DEVIN L. GANGER 

The Exchange 2007 Management Shell makes full 
use of the exciting new Windows PowerShell tech¬ 
nology. It's a great command-line management 
experience, but it's still not perfect. You may have 
already been tripped up by annoyances and compli¬ 
cations in what seem to be obvious tasks or you 
may just want to know what dangers lurk beneath 
the surface. This session will show you some com¬ 
mon pitfalls and problems and give you the knowl¬ 
edge to successfully navigate them. 

EXC18: GETTING RUN OVER 
BY EXCHANGE 2007 
DEVIN L. GANGER 

Common knowledge says that upgrading to 
Exchange 2007 isn't nearly as hard as the 
upgrade from Exchange 5.5. That's not to say that 
it doesn't present its own set of challenges-and if 
you're caught by them, it will still feel like getting 
run over by a truck. This session will present 
some of the common gotchas and how to avoid 
them. Be at the head of the upgrade parade, not 
caught in the wheels. 

EXC01: GETTING THE MOST FROM THE 
EXCHANGE 2007 MOM MANAGEMENT PACK 
DARAGH MORRISSEY 

Learn how to deploy the Exchange 2007 
Management Pack and leverage the information it 
provides on the health of your Exchange 2007 
deployment. This topic covers the following areas: 

■ Basics of Microsoft Operations 
Manager (MOM) 2005 

■ Overview of the Exchange 2007 
Management Pack 

■ Best practices for deployment 

■ Learn how to integrate other 
tools such as the EXBPA 

■ Configuring alerts and rules 

■ Measuring service levels 

■ Auditing Exchange permissions 

EXC21: HELLO? IT'S FOR YOU! 

GETTING STARTED WITH UNIFIED 

COMMUNICATIONS 

PAUL ROBICHAUX 

Exchange 2007 and Office Communications Server 
2007 offer some eye-popping unified communica¬ 
tions features-but they're scary if your only 


telephony experience is with the phone on your 
desk. This session will explore the new features, 
demystify what they can do for you and your 
users, and provide practical deployment advice to 
help you get started right. 

EXC11: IMPLEMENTING TLS 
IN EXCHANGE 
CHRIS SCHARFF 

Transport Layer Security (TLS) provides encryption 
for the transmission SMTP messages. Eind out how 
to configure TLS in Exchange 2003 and 2007. 
Understand what this solution does and doesn't 
provide in terms of message security. 

EXC03: OFFICE COMMUNICATIONS 
SERVER 2007 BRANCH OFFICE VOIP 
ANTHONY VITNELL 


■ Best practices 

■ Reducing false positives 

■ Building a proof-of-concept to measure the 
performance of your anti-spam measures 

■ Overview of Exchange 2007 Edge Server 
anti-spam features 

■ HP case study 

EXC12: USER PROVISIONING 
WITH POWERSHELL 

CHRIS SCHARFF 

A walkthrough of user provisioning using the flexi¬ 
bility provided with Windows PowerShell. Automate 
repetitive tasks to save time and reduce errors. 

EXC09: WHAT'S NEW IN 
EXCHANGE 2007 SP1? 

KIERAN MCCORRY 



Branch office telephony environments are typically SeeWeb site for session abstract. 

costly to manage and remotely support. Office 
Communications Server 2007 provides the capabil¬ 
ities to deploy secure and reliable VOIP and Unified 
Communications capabilities to the branch office. 

This session will cover design and deployment sce¬ 
narios using the Office Communications Server 
2007 IP-PBX features in the branch office environ¬ 
ment. Learn how easy it can be to deploy Unified 
Communications to a new branch office site with 
Office Communications Server 2007. 


EXC05: PROTECTING YOUR 
EXCHANGE 2007 FROM 
SPAM-BEST PRACTICES 
DARAGH MORRISSEY 

This session provides best practices to prevent 
spam hitting your Exchange 2007 deployment 
and covers the following areas: 

■ Spam terminology 

■ 1st/2nd/3rd generation techniques 
for blocking spam 


EXC19: POWERSHELL 
FOR BEGINNERS 

PAUL ROBICHAUX 

The Exchange Management 
Shell (EMS) is a key part of 
the Exchange 2007 experi¬ 
ence. What if you're not a 
scripter? Don't worry; you 
can still get plenty done with 
EMS after just a little learning. 
This session covers the basics of 
what you need to know about 
how EMS works and what you 
can do with it. 
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Immerse yourself in the latest Windows technologies: 

Windows Server 2008 r virtualization, WDS, Windows 
Vista, SoftGrid and more-with experts from Microsoft 
Corporation and world-renowned subject magger 
experts! Windows Connections offers the deepest and most 
relevant education for Microsoft Windows administrators- 
knowledge that is critical as major new products arrive for 
your enterprise. 

Windows Server 2008 and Windows Vista introduce major 
change, and now is the time for you to quickly come up to 
speed. Be prepared through the real-world experience of 
our expert presenters and instructors. "Insider" details from 
Microsoft, MVPs, and other participants help you make sense 
of the new technologies, apply them to your environment, 
and master them faster and more effectively. 

Be fully prepared to deploy and support Windows Vista. Learn how to manage 
its advanced networking and security technologies, and how to support vol¬ 
ume license activation (a major deployment hurdle if you're not ready). Learn 
all there is to know about new Group Policy settings and functionality from 
GPO guru Jeremy Moskowitz. Get a roadmap for how to manage and protect 
user data, from effective redirection and roaming to disk encryption. And get 
the inside scoop on Vista deployment and desktop management from experts 
Rhonda Layfield and Dan Holme. 


■ Become an expert on the soon-to-launch Windows Server 2008. Learn how to 
manage the GUI-less Server Core from command-line commando Mark Minasi, 
how and when to migrate to 32- and 64-bit versions of Microsoft's new server 
platform, and everything that's changed in server roles, including Active 
Directory security and disaster recovery. Discover how the new features of 
Terminal Services and SoftGrid can revolutionize the way you support appli¬ 
cations in your enterprise. And get one-of-a-kind, practical guidance to secur¬ 
ing your enterprise, from file share provisioning to event log auditing to using 
certificate-based authentication. And get the first of its kind insight into the 
new DFS Replication of Sysvol, and how to migrate your DCs to it. 

Take home Solutions: find out how to implement SharePoint document 
libraries as a replacement for shared folders, how to manage Windows for 
compliance and auditing, how to increase security though IPSec and net¬ 
work access protection, and how to implement role-based management and 
provisioning. 

■ This is the year of virtualization and management. Get the guidance you 
need to choose and implement a virtualization strategy with independent 
expert Alan Sugano's insights into VMware and Windows virtualization. And 
get up to speed with the new version of SMS: System Center Configuration 
Manager 2007. 

■ Become a more effective and efficient administrator through our unique 
Windows PowerShell courses. 


PROTECTING SENSITIVE DATA WITH BITLOCKER 
DRIVE ENCRYPTION 

This presentation will provide you with an overview of BitLocker™ Drive Encryption 
(BDE) including system requirements, features, and real-life examples of how to 
implement BitLocker™ to protect systems in a field office, to secure, upgrade, or 
decommission an existing drive, or to recover data from a compromised PC asset. 

INTRODUCTION TO SERVER CORE RUNNING MINIMAL WINDOWS 2008 

This session introduces the concept of Server Core. Server Core is a lightweight 
subset of Windows 2008 with roles specific to the Standard, Enterprise, and 
DataCenter environments that reduce the server's vulnerability to attack as 
well as the costs of upgrading and maintaining the server. 

GETTING TO KNOW WINDOWS SERVER 2008-ADMINISTRATION, 
CLUSTERING, PERFORMANCE AND MORE 

This session will introduce you to several new features in Windows Server 2008 
including the new management console, new clustering features, performance and 
reliability monitoring, and a brief look at PowerShell. Windows Server 2008 includes 
some new and enhanced features to improve security and application deployment 
on your network. Enhancements in Terminal Services allow you to more easily 
deploy only the applications you want while protecting the server environment. 

WINDOWS SERVER 2008 TERMINAL SERVICES TECHNICAL OVERVIEW 

Eor organizations that have remote users, Windows Server 2008 adds improve¬ 
ments and innovations to Terminal Services that facilitate better integration of 
remote and local applications on client computers, access to these same remote 
programs via Web browser, and a means to access remote terminals and applica¬ 
tions across firewalls. Because Windows Server 2008 will ship on x64, it has the 
ability to use the additional processors and RAM that x64 offers increasing the 
number of users that a Terminal Services server can support. 

EVERYTHING YOU NEED TO KNOW ABOUT DEPLOYING VISTA 
IN 60 MINS 

How many images do you currently maintain for your desktop deployments? 
How much time do you spend re-working those images when changes take 
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place? This session will explain how to reduce the number of images you main¬ 
tain as well as demonstrate how easy it is to maintain and update images using 
the BDD Workbench, Windows Automated Installation Kit, and Windows System 
Image Manager. There will also be a demo of the new ImageX utilities. 

WHAT IS NETWORK ACCESS PROTECTION AND WHAT CAN IT 
DO FOR ME? 

This session will introduce you to Network Access Protection (NAP), which is a 
new platform that ensures the health of your systems by performing computer 
health policy validation and many other processes. This session looks at NAP 
enforcement and the many enforcement options that can combine to ensure that 
you have healthy systems. Then it looks at how to enforce health polices for 
Dynamic Host Configuration Protocol (DHCP), Internet Protocol security (IPsec) as 
well as Routing and Remote Access (RRAS), and how it allows you to enforce 
health policies on VPN-based remote access connections to an intranet. 

DEPLOYING IPSEC WITH WINDOWS VISTA 

This session looks at the new network stack in Windows Vista. Innovations that 
help secure the network by filtering network traffic and prevent unwanted for¬ 
warding. This includes features in the Windows Eirewall such as the new rules 
system, which has many scenarios already defined in an easy-to-use interface. 
You will also see how Windows Vista helps secure connections with tightly inte¬ 
grated Internet Protocol security and how this plays out in mixed networking 
environments. 

WINDOWS SERVER 2008 VIRTUALIZATION- 
FEATURE AND ARCHITECTURE OVERVIEW 

This session starts with an overview of virtualization technology discussing how 
virtualization technology is being embraced at the enterprise level, and the 
benefits it brings, including cost savings and more effective resource utilization. 
It also introduces Windows Server Virtualization, or WSv. WSv brings several 
advances to virtualization technology. This session talks about the business 
case for its use and introduces some of the technical and architecture details. 
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WIN721: ACTIVE DIRECTORY DISASTER 
RECOVERY IN WINDOWS SERVER 2008 

GUIDO GRILLENMEIER 

Backing up and restoring your complete Active 
Directory forest—or objects that you have acciden¬ 
tally deleted in a domain-has always been a lot of 
fun with previous versions of the Windows Server 
OS. Come to this session to find out how much more 
fun you can have restoring your AD or specific 
objects with Windows Server 2008! Microsoft has 
invested a lot of resources to completely overhaul 
the mechanisms and tools to back up Windows 
Servers in this OS release. This change has various 
impacts on the strategy you use to back up your AD 
Domain Controllers and how you restore them. It 
may even impact how you configure your domain 
controller disk subsystem. But there is a lot of good 
news when it comes to recovering objects in AD, 
which will be demonstrated in detail in this session. 
Well also discuss those recovery tasks that remain 
to be a challenge. 

WIN822: INCREASING THE SECURITY IN 
YOUR ACTIVE DIRECTORY USING 
WINDOWS SERVER 2008 

GUIDO GRILLENMEIER 

Active Directory has received various security 
updates in Windows Server 2008, some of which are 
hard to miss, such as the capability to deploy read¬ 
only domain controllers (RODC). However, there are 
plenty of other enhancements hiding under the 
hood that AD administrators should know about to 
further tighten the security in their AD infrastruc¬ 
tures. This includes features such as Owner Access 
Restriction, fine-grained password policies, various 
updates around the auditing capabilities of Active 
Directory, and the Admin-Role Separation feature 
for read-only domain controllers (RODC). This ses¬ 
sion will explain how best to leverage the various 
new features to ensure the operation of a secure 
Active Directory with Windows Server 2008. 

WIN823: REPLICATING SYSVOL IN 
WINDOWS SERVER 2008 

RHONDA LAYFIELD 

Replication of SYSVOL is one of the most impor¬ 
tant aspects when it comes to the security of your 
desktops. SYSVOL replicates all those group policy 
objects you have spent so much time research¬ 
ing/testing and ultimately implementing. But what 
happens when those settings never arrive at the 
desktop? In this session you will learn how SYSVOL 
is replicated and how to troubleshoot when it fails, 
step-by-step. 

WIN712: WINDOWS SERVER 2008 ACTIVE 
DIRECTORY TECHNICAL DRILL-DOWN 
MARK MINASI 

Join Mark Minasi for a close-up look at Active 
Directory under Windows Server 2008. Find out 
about read-only domain controllers (they're more 


than just a BDC), fine-grained password policies, 
the new DCPROMO, and lots more! 

SECURITY 

WIN743: ARE PASSWORDS DEAD? 

LONG LIVE THE SMARTCARD 
BRIAN KOMAR 

The decision to enforce smart cards for authenti¬ 
cation is a huge step for an organization. This 
session will look at the issues blocking smart 
card deployment in today's networks, help you 
plan a smart card deployment using Microsoft's 
Identity Lifecycle Manager 2007, and discuss a 
case study of a current implementation that 
Brian is working on. 

WIN713: LAPTOP LOST-WHAT SHOULD I 
HAVE DONE, NOW THAT IT'S TOO LATE? 
BRIAN KOMAR 

Don't be the latest headline. Plug potential data 
"leaks" by encrypting user systems. Explore the 
pros and cons of Encrypting Eile System (EFS) and 
Windows Vista Bitlocker during this practical, 
technical session. 

VIRTUALIZATION 


WIN733: SOFTGRID 101 

JEREMY MOSKOWITZ 

Let me guess: your machines just "blow up" now 
and again. And I know why. It's because you have 
a zillion applications on them with a half a zillion 
conflicts and things just "deteriorate" over time. 
Wouldn't it be neat if you could just eliminate that 
problem altogether? Well, with Microsoft's newest 
acguisition, Softgrid, you can. It works by "wrap¬ 
ping up" your existing software into "sequences," 
and then putting them into a virtual sandbox. The 
upshot? Your applications aren't running "on" 
Windows. They're running within the sandbox. So, 
no more desktop deterioration. Softgrid is a big 
place, but come to this session to make sure you 
know the ins and outs before you get it in your 
organization! 

Note: See the Virtualization pre-conference workshops on 
pages Li 

WINDOWS SERVER 2008 

WIN741: THE FILE SHARE IS DEAD: 
IMPLEMENTING WINDOWS SHAREPOINT 
SERVICES DOCUMENT LIBRARIES 
DAN HOLME 

After a short life of barely a decade, the Windows 
Server shared folder is dead, or at least on life 
support. Why? Because the features that we've all 
been missing-version control, version history, 
extensibility, and workflow-are now achievable 
using Windows SharePoint Services document 
libraries. Learn how to move forward into a new 
era of document management in this practical 
application of SharePoint. 


WIN731: AUTOMATING AND PROVISIONING 
SECURE BUSINESS DATA SHARES 
DAN HOLME 

Whether for security, compliance, or manageabili¬ 
ty, the time has come for IT organizations to reex¬ 
amine how they manage traditional file shares. 
This practical, solutions-focused session will pres¬ 
ent a vision for role-based, provisioned manage¬ 
ment of shared data folders. You will take away 
tools and a punch-list of processes that you can 
adapt to your enterprise's requirements to 
achieve that vision. Participants in this session 
are expected to have a solid understanding of 
access control lists (ACLs) and group management 
in Active Directory. 

WIN832: 64-BIT WINDOWS SERVER 2008 
VERSIONS-WHY SHOULD YOU CARE? 

GUIDO GRILLENMEIER 

By the end of 2007, the demand for 64-bit Windows 
servers will require all IT administrators to be 
aware of the ins and outs of 64-bit computing. 
Driven by the need to deploy the 64-bit Windows 
OS to support applications such as Exchange 2007, 
what are the challenges you'll face when moving 
down the 64-bit road: What does this mean for 
your 32-bit applications? Will they work and how? 
Will they perform better or worse? Should you 
leverage the x64 architecture or move to Itanium? 
What's really the difference between the two? How 
does Windows Server 2008 support either archi¬ 
tecture? This session explains the most important 
things to know about the different 64-bit Windows 
architectures and why you should care about 
them. Special focus will be put on 32-bit compati¬ 
bility challenges and solutions as well as dis¬ 
cussing deployment scenarios for the 64-bit ver¬ 
sions of Windows Server 2008. 

WIN732: THE ACCIDENTAL DBA'S GUIDE: 
SQL SERVER EXPRESS AND MSDE FOR 
THE RELUCTANT 
MARK MINASI 

Think you're a network administrator but that you're 
not-or don't need to be-a SQL administrator? 
Think again; you may already BE a database admin¬ 
istrator (DBA) and not even know it. Or... it might just 
be time to get ready to become one. 

In the past few years, Microsoft has released tons of 
useful and free applications, management, and trou¬ 
bleshooting utilities. Tools like WSUS, Ultrasound, 
Windows SharePoint Services, Application 
Compatibility Toolkit, and others. While they're 
essential tools in any network, they've all got one 
thing in common: they need a real-live SQL Server to 
hold onto their data. Knowing that many folks can't 
afford a full-blown copy of SQL Server for those util¬ 
ities, Microsoft has, for years, given away "cut- 
down" versions of SQL Server first called MSDE and 
more recently named SQL Server Express (SSX). In 
addition to these free Microsoft apps, many useful 
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third-party applications are built atop MSDE and 
SSX, and some of them install MSDE/SSX quietly- 
which, again, means that you may already be a DBA 
and not know it. 

The bad news about these applications is that SQL 
administration skills are no longer optional: EVERY 
network admin has to know how to install, secure, 
and maintain simple SQL servers to serve as back¬ 
end for system utilities. But there's also good news: 
it doesn't take long to learn those skills. Join Mark 
Minasi, author of the best-selling "Mastering 
Windows Server" books and creator of "The 
Accidental DBA's Guide to MSDE and SSX," for a look 
at MSDE and SSX: how to install them, how to secure 
them, and how to run them, including 25 cookbooks 
to solve common problems and perform basic main¬ 
tenance. If you need to understand MSDE/SSX to 
support SharePoint, WSUS, Ultrasound, ACT or any of 
the popular backup utilities built atop database 
servers, then this is the best time you can spend! 

WIN821: COMMAND MICROSOFT 
WINDOWS FROM C: LEVEL... 

AND GET READY FOR SERVER CORE! 
MARK MINASI 

Still doing administration from the GUI? Well, that 
works, of course—but while GUIs are nice for now¬ 
and-then tasks, you can get a lot more done from 
the command line and, even better, you can stuff 
your favorite command lines into Notepad to cre¬ 
ate the world's simplest administration tool. But 
there are many more reasons to learn the com¬ 
mand line. Eor one thing, text-based command 
interfaces like telnet, ssh, and the like run on vir¬ 
tually no bandwidth, which can be perfect in some 
remote-control situations. And then there's the 
reliable, largely unchanging nature of command¬ 
line tools: ask any Windows veteran how he got 
past having to learn the new Vista GUI to change 
an IP address, create a user, or change a pass¬ 
word, and you're likely to hear that he just opened 
up a command prompt and used many of the the 
same "net" commands he'd been using since 1985. 
Perhaps the strongest argument for the command 
line, however, isn't the past—it's the future. 
Windows Server 2008 offers a sleeker, easier-to- 
control version of itself called "Server Core." It 
runs on less RAM and disk, but lacks a GUI. Once 
Windows Server 2008 ships, it'll be hip to be a 
command line square! The hard part, of course, is 
getting started-and who better to help you than 
Mark Minasi, whose 100+ "This Old Resource Kit" 
and "Windows Power Tools" columns have discov¬ 
ered and explained the best Microsoft command¬ 
line administrations tools for the past nine years. 
While the "altitude 11 —that is, high-level nature—of 
GUIs are nice, really getting the job in the least 
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amount of time needs a more down-to-earth, 
"C:\Hevel" approach. Join Mark when he covers 
over 50 Windows command-line tools and see how 
to "command" Windows to do your bidding! 

WIN842: MIGRATION STRATEGIES FOR 
WINDOWS SERVER 2008 
SEAN DEUBY 

Whether you're in the role of a single server 
administrator or owner of a corporate Active 
Directory, upgrading to Windows Server 2008 
requires thorough planning and testing. This ses¬ 
sion will review different migration strategies for 
several Windows Server 2008 roles, with a focus 
on upgrading your Active Directory forest. 

WINDOWS VISTA 


WIN831: REIMAGINING THE MOBILITY 
AND AGILITY OF USER DATA: FOLDER 
REDIRECTION, ROAMING PROFILES, AND 
OFFLINE FILES 
DAN HOLME 

Windows Server 2003, Vista, and XP offer important 
functionality to ensure that data is available and 
secure. But until you start managing the intricacies 
of the technologies, your organization's data is dif¬ 
ficult to access or take offline, challenging to pro¬ 
tect, and intellectual property is exposed. In a 
worst-case scenario, critical user data is stored 
only on users' machines and is exposed to com¬ 
plete loss. Or, misguided corporate mandates lead 
too quickly to full-disk encryption. In this practical 
session, you will learn best practices for putting the 
pieces together: folder redirection, user profiles, 
offline files, encryption, Group Policy, ACLs, and 
shares. Participants are expected to have a very 
solid understanding of most or all of these tech¬ 
nologies, or be ready to learn them offline. This 
advanced session prepares you to take away ready- 
to-implement, useful solutions to corralling, secur¬ 
ing, and managing corporate data. 

WIN711: GROUP POLICY IN VISTA: 

WHAT'S NEW - PART I (NEW GOODIES) 

JEREMY MOSKOWITZ 

Short answer: lots. So come hear the essential 
"What every admin absolutely needs to know" 
about Windows Vista and Group Policy. Learn why 
you need a Windows Vista management station. 
Learn how to get out of burning 5MB per GPO 
on each DC. Learn about the new things 
you can do (like 
power manage¬ 
ment and USB port 
management-only 
for Windows Vista 
clients. And, what's 
with the new 
acquisition of 
DesktopStandard? 
Will you see their 



products emblazoned with a Microsoft logo any¬ 
time soon? If you've got even one Windows Vista 
client that you're going to deploy, you positively 
must come to this session to learn the ropes from 
Jeremy Moskowitz, Group Policy MVP. 

WIN712: GROUP POLICY IN VISTA: WHAT'S 
NEW-PART II (TROUBLESHOOTING) 

JEREMY MOSKOWITZ 

In Part II we'll discover how the beauty of Group 
Policy changes is not skin deep. There are some 
basic and detailed changes lying under the hood. 
And Jeremy Moskowitz of GPanswers.com 
and author of Group Policy: Management, 
Troubleshooting and Security is just the guy to 
bring it to you. In this session, you'll learn why you 
can't just run gpresult.exe anymore and get the 
results you want. You'll discover what happens if 
you reconnect to the network after a long absence. 
You'll learn how to crack open the new Vista event 
log and trace Group Policy flow to figure out what 
might be going on. You'll learn how other areas, like 
Offline Files and Group Policy Software Installation 
can be tweaked to give you just the information you 
need to fix what ails you. If you're looking for Group 
Policy answers to your troubleshooting questions, 
this is the session for you. 

WIN723: EVERYTHING NEW IN VISTA 

AND SERVER EVENTS & EVENT LOGS 

RHONDA LAYFIELD 

Join Rhonda Layfield for an in-depth look at the 
overhauled event logs and eventing subsystems 
of Vista and Longhorn. Learn how to navigate the 
logs, consolidate, locate, and interpret events. 

WIN843 PLANNING FOR WINDOWS 
SERVER 2008 AND VISTA LICENSING 
SEAN DEUBY 

Any rollout of Windows Server 2008 or Vista 
requires planning for Volume Activation 2.0. If 
you don't, your systems will grind to a halt a 
month after you've deployed them. You have to 
make a number of design decisions for your VA 
2.0 infrastructure; this session will provide you 
with key information from practical experience to 
help you plan. 

WIN833: AN INTRODUCTION TO SYSTEM 
CENTER CONFIGURATION MANAGER 
(SCCM) 2007 FOR NOVICES AND 
VETERANS 

RHONDA LAYFIELD 

Join Rhonda Layfield for a jump start to SCCM 
2007. If you're new to the product, you'll learn 
what it takes to configure sites, collections, and 
packages. Find out how to deploy applications and 
configuration to your desktops. If you're a sea¬ 
soned SMS veteran, you'll get the insight you need 
into the "delta 11 —what's new in SCCM 2007. 
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Microsoft Office 2007: 


SharePoint Connections 


Deployment Strategies and Techniques 

The new Microsoft information worker platform is here: 
Microsoft Office 2007. Far more than just new versions of Word 
and Excel, Office 2007 is the new groupware client, information 
worker portal, and collaboration platform for Microsoft tech¬ 
nologies. Leveraging server technologies in Windows, 
Exchange Server, and SharePoint Server, and based upon the 
advanced client platform technologies in Windows Vista, Office 
2007 is simply a must-have new suite. Are you ready for it? 



SharePoint Connections is the essential conference for 
in-depth technical training on solution development and 
customization of Windows SharePoint Services and 
SharePoint Portal Server. SharePoint Connections is the 
largest independent conference for SharePoint developers 
and SharePoint IT professionals, and this conference will 
feature industry experts discussing development essen¬ 
tials, customization techniques, and developer case studies 
and end-to-end solutions that leverage other Microsoft 
technologies (including Outlook, InfoPath and Active 
Directory). 

This targeted audience faces crucial purchasing decisions 
as they plan, deploy and customize secure, connected solu¬ 
tions for communicating and collaborating with employees, 
customers and partners using the SharePoint platform. 
The SharePoint Connections conference provides devel¬ 
opers what they need to take their SharePoint deploy¬ 
ments to the next level in order to achieve their corporate 
IT objectives. 


MOSS 2007 SECURITY ENHANCEMENTS DEEP DIVE 

This presentation delves into the significant new security features of Microsoft 
Office SharePoint Server (MOSS) 2007 including alternate authentication 
providers, native encryption, alternate access mapping and information rights 
management, and how to use these technologies to deploy SharePoint secure¬ 
ly in both internal and customer-facing applications. 

JUST WHAT THE HECK IS MICROSOFT OFFICE GROOVE 2007?!? 

Groove 2007 is a new introduction to the Office suite of products that you can 
use to increase team collaboration and productivity. Groove can help you and 
your team work together more effectively and improve the quality of your 
deliverables. We will also see what security measures have been implemented 
which make Groove a more secure collaborative team workspace. We will exam¬ 
ine a few of the more popular tools included with Groove 2007 along with other 
software that will help customize Groove workspaces. 

HMS307: CAPACITY AND PERFORMANCE PLANNING FOR 
MICROSOFT SHAREPOINT PRODUCTS AND TECHNOLOGIES 2007 

JAMES PETROSKY 

This session covers techniques to determine Microsoft Office SharePoint Server 
2007 capacity and performance needs, how to plan an architecture to meet those 
needs, and provides the steps required to conduct performance testing for 
Microsoft Office SharePoint Server 2007. 

HMS206: DESIGNING AND BUILDING SOPHISTICATED 
COMPOSITE APPLICATIONS WITH MICROSOFT OFFICE 
SHAREPOINT DESIGNER 2007 
JEROME THIEBAUD 

Discover how to build sophisticated workflow-enabled composite Web applica¬ 
tions on top of the SharePoint platform. This session explores how to build 
tracking and reporting applications accessing a wide variety of data sources 
using the power of the data view Web Part and Workflow Foundation. Also, learn 
how to apply customization to your SharePoint pages in a few clicks with mod¬ 
ern tools such as master pages and CSS. 

REGISTER TODAY ■ 800-505-1201 ■ 203-268-3204 


HMS309: HIGH AVAILABILITY AND DISASTER RECOVERY FOR 
MICROSOFT SHAREPOINT PRODUCTS AND TECHNOLOGIES 2007 

JAMES PETROSKY 

Learn best practices of data protection for your organization. This session cov¬ 
ers the pros and cons of Windows SharePoint Services Backup/Restore, SQL-only 
backup/restore, SQL log-shipping, and the VSS writer. Also, learn how to take 
advantage of content recovery features, including the recycle bin, versioning, 
events, and fine-grained content migration. 

HMS201: MICROSOFT OFFICE SHAREPOINT 
SERVER 2007 OVERVIEW 

THOMAS RIZZO 

Microsoft Office SharePoint Server 2007 is much more than an upgrade to 
SharePoint Portal Server (SPS) 2003 and Content Management Server 2002. This 
session covers technical fundamentals, feature overviews, new sets of server 
functionality, and implications for developers and IT professionals alike. NOTE: 
Since Office SharePoint Server 2007 is built on Windows SharePoint Services 3.0, 
we recommend that you also attend the "Windows SharePoint Services 3.0 
Overview" session. 

HMS204: MICROSOFT SHAREPOINT PRODUCTS AND 
TECHNOLOGIES 2007: ADMINISTRATIVE ARCHITECTURE 
AND PLANNING FOR DEPLOYMENT, PART 1 

JOEL OLESON 

This session describes the new deployment and administration architecture for 
Microsoft Windows SharePoint Services (WSS) version 3 and Microsoft Office 
SharePoint Server 2007. Learn about logical and physical design architectures, 
planning and deployment considerations, as well as inter-farm and intra-farm 
shared services capabilities. Also, understand the administration components 
and administration security considerations throughout the platform. 

SESSIONS AND SPEAKERS ARE SUBJECT TO CHANGE. 

SEE WEB SITE FOR UPDATES AND ADDITIONAL SESSIONS. 


www.WinConnections.com 


11 











OFFICE & SHAREPOINT 

SESSIONS PRESENTED BY MICROSOFT 


OfflCG SharePoint 


Connections Connections 

2007 2007 




HMS305: MICROSOFT SHAREPOINT PRODUCTS AND 
TECHNOLOGIES 2007: DEPLOYMENT AND ADVANCED 
ADMINISTRATION TOPICS, PART 2 
JOEL OLESON 

This session is the second of a two-part series on deployment and administra¬ 
tion in Microsoft Windows SharePoint Services (version 3) and Microsoft Office 
SharePoint Server 2007. Learn about advanced configurations and deployment 
architectures including extranet deployments and inter-farm shared services. 
Gain an understanding of steady state and advanced administration techniques 
and capabilities for the SharePoint farm including password management, dis¬ 
aster recovery, SQL management, patching and service pack management, and 
the Microsoft Common Engineering Criteria enhancements. 

HMS202: MICROSOFT WINDOWS SHAREPOINT 
SERVICES 3.0 OVERVIEW 
LAWRENCE LIU 

Microsoft Windows SharePoint Services, a technology in Windows Server, 
provides the tools, infrastructure, and platform for the development of 
collaborative applications. Learn about the new features in Windows SharePoint 


Services 3.0 and how you can use them to make Windows SharePoint 
Services version 3.0 work for you. 

HMS310: SEARCH IN MICROSOFT OFFICE SHAREPOINT 
SERVER 2007: CUSTOMIZING AND EXTENDING 

THOMAS RIZZO 

Enterprise Search is a critical piece of Microsoft Office SharePoint Server 2007. In 
this session we drill into the search technologies SharePoint offers, how to extend 
these search capabilities using custom user interfaces, and how to use the object 
model and Web services to add your search to your own custom applications. 

HMS203: SHAREPOINT GOVERNANCE AND INFORMATION 
ARCHITECTURE GUIDANCE 

JOEL OLESON 

The most important thing you do to ensure a successful deployment is create an 
information architecture. Overlooking information management can lead to 
chaos. Come learn key SharePoint governance models that can help you balance 
the security and control that you need while continuing to support an easy-to- 
use, easy-to-manage platform. 


CONFERENCE SESSIONS 


0FF835: ACCESS AND SQL SERVER 
ALISON BALTER 

Access 2007 is an excellent client/server develop¬ 
ment tool. In this session, you'll learn when you 
should move an application to a SQL Server back¬ 
end. This session will explore the options available 
to you when creating an Access client/server appli¬ 
cation. You'll learn how to upsize an Access data¬ 
base to SQL Server. Finally, you'll learn all of the tips 
and tricks that make your Access client/server 
applications optimized and fast! 

0FF715: CUSTOMIZING AND DEPLOYING 
OFFICE 2007: THE REAL STORY 
DAN HOLME 

Join IT consultant Dan Holme for a truly independ¬ 
ent, real-world alternative to Microsoft's song- 
and-dance about Office deployment. This session 
will help you cut your learning curve by giving you 
practical, take-away guidance to the tools and 
options available for customizing and deploying 
Office 2007 in your enterprise. Learn how to cre¬ 
ate an effective network installation point, create 
one or more customized installations, work with 
multilanguage environments, and deploy Office in 
a variety of scenarios. You will learn why Group 
Policy Software Installation is not a practical 
option for most organizations. And you will gain 
invaluable workarounds for blasting Office on to 
your users' computers without expensive third- 
party software management tools. 

0FF735: FRONT-ENDING SHAREPOINT 
WITH ACCESS 
ALISON BALTER 

Access 2007 is tightly integrated with SharePoint. 
This session provides the attendee with everything 


that they need to know about working with Access 
2007 and SharePoint. Topics covered include why 
SharePoint and Access 2007 are important tools 
within the organization, how to move your database 
to a SharePoint site, and how to open and work with 
SharePoint lists from within Access 2007. It will also 
cover how to integrate with the SharePoint work- 
flow, how to work with SharePoint services offline, 
and how to map Access data to SharePoint data. All 
of these topics are necessary when integrating 
Access 2007 and SharePoint. 

0FF745: MICROSOFT OFFICE 
POWERPOINT 2007: INTRODUCING AND 
SUPPORTING NEW FEATURES 
DOUGLAS RYAN VANBENTHUYSEN 

Microsoft Office PowerPoint 2007 offers an expand¬ 
ed array of features allowing users to create attrac¬ 
tive presentations and to collaborate more readily 
on PowerPoint projects. This session will show the 
new features of PowerPoint, including the use of 
quick styles, to create logically designed graphical 
representations of bulleted lists, and how to use 
SharePoint slide libraries to share reusable content 
across an organization. The session will also 
address current top support issues. 

OFF825: MICROSOFT OFFICE WORD 2007: 
CUSTOMIZING LOOK AND FEEL WITH 
TEMPLATES, STYLES, AND STYLE SETS 
DOUGLAS RYAN VANBENTHUYSEN 

Microsoft Office Word 2007 offers a variety of 
options to help you customize the look and feel of 
your documents. Out of the box, Word 2007 offers a 
variety of templates and style sets that allow you to 
quickly change the appearance of a document with¬ 


out the need to devote resources to coming up with 
a design. You can achieve further customization by 
building your own templates and creating your own 
styles and style sets. This session will explore the 
use of templates, styles, and style sets, including 
many new features such as Microsoft community 
submitted templates, defining custom font and 
color sets, and adding styles to the Ribbon interface. 

0FF845: MICROSOFT OFFICE WORD 
2007: REUSING CONTENT WITH 
BUILDING BLOCKS AND CITATIONS 
DOUGLAS RYAN VANBENTHUYSEN 

With Microsoft Office Word 2007, you have the 
ability to bring information and objects into your 
documents through building blocks and citations. 
This session will show how you can use building 
blocks to add objects to your documents, create 
building blocks of reusable content for distribu¬ 
tion throughout an organization, and store refer¬ 
ence information so you can easily add citations 
and source lists and make them available to other 
documents. 

0FF725: WHAT'S NEW IN MICROSOFT 
ACCESS 2007? 

ALISON BALTER 

Access 2007 is dramatically different than its pred¬ 
ecessors. This session will improve your productiv¬ 
ity in Access 2007 by showing you all of the new 
and exciting tools that you can use to develop 
application. You not only will learn what has been 
added to Access 2007, you will also learn what has 
been taken away. 
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HAD307: CUSTOMIZED SITE TEMPLATE 
AND DEFINITION MIGRATION 

RICHARD TAYLOR 

We all wanted it. We all needed it, but no one knew 
how. Microsoft wouldn't (or couldn't) tell us how. 
After stumbling around in the dark, we've figured it 
out! Come to this session to see how to perform a 
NON-vanilla migration with sites that have been 
customized with Frontpage 2003 and discover how 
to decipher the TechNet document on the subject. 

HAD301: END-TO-END SOLUTIONS WITH THE 
2007 RELEASE: DEVELOPING FOR IT PROS 
DAVID GERHARDT 

Review an end-to-end solution for a time-off 
reguest process. This session will show how to 
develop a form solution using Office Word 2007 in 
Office SharePoint Server 2007 without any cus¬ 
tom code. 

HAD203: EXPLORING THE NEW 
MICROSOFT FOREFRONT SECURITY 
FOR SHAREPOINT 

MICHAEL NOEL 

This session gives an overview of the new 
Forefront Security for SharePoint 2007 product, 
focusing on how the product can help to protect a 
SharePoint environment from traditional antivirus 
concerns as well as the latest threats. This session 
outlines specific best practice guidance on 
installing and configuring the Forefront Security 
for SharePoint product within an existing 
SharePoint environment and presents sample 
deployment scenarios. It also covers more in- 
depth information into some of the advanced 
functionality such as reporting and maintenance. 

HAD308: FORMS AUTHENTICATION- 
HOW TO GET YOUR INTERNET-FACING 
MOSS SITE UP AND RUNNING 
RICHARD TAYLOR 

Forms-based authentication is an ASP.NET authenti¬ 
cation service that enables applications to provide 
their own logon Ul and do their own credential veri¬ 
fication. If you have an anonymous Internet-facing 
site, you will want to know how to use Forms-based 
authentication. 
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HAD204: MONITORING A SHAREPOINT 
FARM USING SYSTEM CENTER 
OPERATIONS MANAGER 2007 
MICHAEL NOEL 

For several years, many administrators have 
found that the Microsoft Operations Manager 
(MOM) product is an ideal way to monitor the 
health and functionality of a SharePoint environ¬ 
ment. Microsoft has further upped the ante with 
the release of the newest version of MOM, 
renamed as System Center Operations Manager 
(OpsManager) 2007. This session covers how you 
can use an OpsManager 2007 deployment to pro¬ 
vide for proactive monitoring and management of 
a SharePoint 2007 environment. In addition to 


with virtualization technologies. This session 
focuses on real-world architecture and best- 
practice recommendations for incorporating 
SharePoint architecture into virtualized environ¬ 
ments running with either Microsoft's Virtual 
Server or EMC's VMWare Server products. The 
session focuses on outlining which specific com¬ 
ponents of SharePoint operate well in a virtual¬ 
ized environment versus which ones are not nec¬ 
essarily good candidates. In addition, this ses¬ 
sion gives an in-depth look at real-world designs 
for SharePoint using both major virtualization 
products and outlining the strengths and weak¬ 
nesses of each product in relation to SharePoint 
functionality. 



best-practice architecture and configuration 
advice for OpsManager, this session details the 
specific OpsManager Management packs for 
Windows SharePoint Services, SharePoint Server 
2007, and Project Server 2007, discussing how you 
can use them for proactive, rather than reactive, 
administration of a SharePoint Earm. 


HAD202: NO-CODE WORKFLOWS IN WSS V3 
DUSTIN MILLER 

Sending documents by e-mail for review is old and 
busted. In this session, you'll learn about the new 
hotness: built-in workflow features in WSS. See 
how easy it is to add intelligent seri¬ 
al and parallel workflows to docu¬ 
ments and other SharePoint content, 
without writing a single line of code. 

There is a bonus, too: You'll get a 
glimpse into some of the other 
process management features in the 
new release of Office SharePoint 
Server 2007, such as information 
policies and records management. 


HAD306: SHAREPOINT 


DIARIES 

RICHARD TAYLOR 


The benefits of a SharePoint imple¬ 
mentation are great, but getting the point across to 
Executives is an even greater task. SharePoint is a 
complex product to explain to upper management; 
to get them to support you with the necessary 
resources will take careful thought, planning, and 
execution. Come to this session to learn how to 
present a proposal to the powers-that-be and at the 
same time ensure a successful SharePoint imple¬ 
mentation as was outlined in REDMOND magazine by 
this author. 


HAD305: VIRTUALIZING SHAREPOINT 
2007 ARCHITECTURE 
MICHAEL NOEL 

Server virtualization technologies have taken SESSIONS AND SPEAKERS 
front stage recently and many organizations ARE SUBJECT TO CHANGE, 

have begun to seriously contemplate replacing SEE WEB SITE FOR UPDATES 

physical servers, including SharePoint servers, AND ADDITIONAL SESSIONS. 
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9AM-4PM • PRE-CONFERENCE WORKSHOP • EXCHANGE TRACK 

EPR301: U-FIX-IT: TROUBLESHOOTING EXCHANGE SERVER 2007 
(BRING YOUR OWN LAPTOP) 

PETER O'DOWD 

This intensive one-day troubleshooting workshop is essential for IT and 
Exchange administrators who want hands-on experience troubleshooting data¬ 
bases, message flow, and performance in a lab environment. Exchange expert 
and MVP Peter O'Dowd will walk you through the process of identifying and 
solving problems using a wide-range of tools and techniques. On your laptop, 
you'll perform virtual hands-on labs developed by Wadeware® that simulate 
problems, and then walk through the process of troubleshooting and solving 
them. Attend this full-day workshop to better understand Exchange database 
architecture and to gain knowledge necessary to recover and support your 
Exchange Server 2007 system. 

NOTE: The laptop you bring MUST have at least 7 GB of memory and a DVD drive. 

9AM-4PM • PRE-CONFERENCE WORKSHOP • POWERSHELL TRACK 

PPR301: WINDOWS POWERSHELL: POWERFUL FUNDAMENTALS 
(BRING YOUR OWN LAPTOP) 

DON JONES & JEFF HICKS 

Master Windows PowerShell: Learn how to use the shell interactively (that's 
right, no scripting required) to perform key Windows administrative tasks. 
You'll learn all about PowerShell's object-oriented pipeline and learn how to 
manage services, run processes, and more. You'll also learn how PowerShell 
interfaces with Windows Management Instrumentation (WMI) and Active 
Directory Services Interface (ADSI) to extend your management reach to 
remote machines and into the directory. You'll learn all of the key PowerShell 
commands-called cmdlets—that enable core Windows administration tasks. 
You'll also learn to produce management and auditing reports using 
PowerShell's built-in filtering, grouping, sorting, exporting, and formatting 
capabilities. You'll even get a peek at PowerShell's built-in scripting language 
and capabilities, and learn all the tips and tricks for using PowerShell that 
you'll need to work faster and more efficiently. Bring your fully charged laptop 
with Windows PowerShell installed: You won't need it all day, but we'll have a 
special hands-on segment of our workshop that lets you experience and rein¬ 
force the PowerShell skills that you're learning. 

NOTE: You must bring your own Windows XP or Windows Vista laptop, running 
Windows PowerShell vl.O (from www.Microsoft.com/powershell). You must have local 
Administrator privileges. A licensed or free trial of SAPIEN PrimalScript Professional 
(from www.PrimalScript.com) is optional, but will be very helpful during class. 

Not all segments of the day are hands-on, but significant hands-on exercises are included. 


11/5/2007 


9AM-4PM • PRE-CONFERENCE WORKSHOP • WINDOWS TRACK 

WPR301: THE PERFECT DESKTOP: DEPLOYING AND 
MANAGING WINDOWS VISTA, WINDOWS XP, MICROSOFT OFFICE 
AND APPLICATIONS 

RHONDA LAYFIELD & DAN HOLME (dan presents in the afternoon only.) 
In this fast-paced, intermediate to advanced session, Dan Holme and Rhonda 
Layfield will dive deep into the revolutionary new tools and technologies 
used to deploy Windows Vista, XP, Microsoft Office, applications, and config¬ 
uration. You will learn best practices for the design, deployment, and main¬ 
tenance of Windows clients and servers that can be supported effectively 
with application, security patch, and service pack rollouts into the future. 
You will take away a deployment methodology that works and 
a solid understanding of its functionality so that you can further refine the 


methodology to apply to your enterprise. Discover what you need to know to 
make them work: WinPE, ImageX, Windows Deployment Services (WDS), the 
Office Customization Tool (OCT), and the Solution Accelerator for Business 
Desktop Deployment (BDD). 

9AM-4PM • PRE-CONFERENCE WORKSHOP • EXCHANGE TRACK 

EPR302: WALK IN THE PARK: MICROSOFT EXCHANGE 2007 
HANDS-ON LABS (BRING YOUR OWN LAPTOP) 

PETER O'DOWD 

Come take a six-hour guided tour of Exchange Server 2007 and see for your¬ 
self the next evolution of the world's most powerful messaging system. 
Experience the new Management Console, the five new server roles, e-mail pol¬ 
icy enforcement and compliance, powerful new scripting tools, new architec¬ 
ture, new high availability and disaster recovery features, new mailbox fea¬ 
tures, and methods for migrating from earlier versions of Exchange. In this 
information-packed day you'll walk through several hands-on-labs developed 
by Wadeware® on your laptop with Exchange expert and MVP Peter O'Dowd, 
getting hands-on-experience with Exchange Server 2007. 

NOTE: The laptop you bring MUST have at least 7 GB of memory and a DVD drive. 

9AM-4PM • PRE-CONFERENCE WORKSHOP • POWERSHELL TRACK 

PPR302: WINDOWS POWERSHELL: ADVANCED POWER 
(BRING YOUR OWN LAPTOP) 

DON JONES & JEFF HICKS 

Take PowerShell further, leveraging powerful built-in technologies for Windows 
and server administration. You'll learn all about PowerShell's built-in scripting 
language, and learn how to build powerful functions and filters that modularize 
script code into self-contained utilities. You'll get the details on PowerShell's 
scoping rules, learn to write error-handling routines, and learn everything about 
PowerShell script debugging, including the use of PowerShell's native debug 
mode. To keep you working efficiently, you'll receive a trial version of SAPIEN's 
award-winning PrimalScript visual development environment, which fully sup¬ 
ports PowerShell script development. You'll also learn how to work with data¬ 
bases in PowerShell, and how to build simple graphical user interfaces, such as 
utility menus, right from within PowerShell. You'll even get a quick overview of 
PowerShell's extensible formatting and data type systems, giving you a founda¬ 
tion for additional independent research into these powerful areas for 
PowerShell extensions. Bring your fully charged laptop with Windows 
PowerShell installed: In the afternoon, you'll have a chance to put your new 
PowerShell scripting skills to use with a series of hands-on exercises. 

NOTE: You must bring your own Windows XP or Windows Vista laptop, running 
Windows PowerShell vl.O (from www.Microsoft.com/powershell). You must have local 
Administrator privileges. A licensed or free trial of SAPIEN PrimalScript Professional 
(from www.PrimalScript.com) is optional, but will be very helpful during class. 

Not all segments of the day are hands-on, but significant hands-on exercises are included. 

9AM-12PM • PRE-CONFERENCE WORKSHOP • OFFICE/WINDOWS TRACK 

0PRE01/WPRE06: MAKING THE MOST OF WINDOWS 
SHAREPOINT SERVICES AND MICROSOFT OFFICE 
DAN HOLME 

You've got Microsoft Office. You've got Windows SharePoint Services. Make 
the most of them! Join the guru behind www.OfficeSharePointPro.com f or a 
three-hour workshop focused on how to leverage these two technologies in 
ways that add real value to your business. Learn what you and your informa¬ 
tion workers can do to maximize SharePoint lists, libraries, and content 
types. Discover what functionality differences to expect with the 2003 and 
2007 versions of Office. And take away lots of practical, ready-to-implement 
guidance to ensure your SharePoint service is a success. 
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1PM-4PM • PRE-CONFERENCE WORKSHOP • WINDOWS TRACK 

WPR02: GROUP POLICY ESSENTIALS: CONFIGURATION, 

CONTROL, AND SECURITY 
JEREMY MOSKOWITZ 

Group Policy is the most efficient way to manage desktops in a Windows envi¬ 
ronment. If you are still running to machines to install desktops, you are not 
taking full advantage of the power of Group Policy. In this practical workshop, 
Jeremy Moskowitz will help you gain control of your environment and get your 
life back. This is the perfect session to take before doing "deep dives" into the 
main sessions of the conference. You'll get a little bit of everything: deploy¬ 
ment, configuration, control, and security ! We'll warm up with some Group 
Policy basics. Then, you'll learn how to get your XP and Vista client machines 
up and running with some new setup options. After your machines are up and 
running, Jeremy will show you how to manage your environment with tem¬ 
plates, zap printers down to your computers, and remotely deploy software to 
your users' desktops. Finally, you'll learn how to use Group Policy to secure col¬ 
lections of machines. We'll examine how Group Policy can do the heavy lifting 
to the jobs you want to do! This session has both XP and Vista content. 




9AM-12PM • PRE-CONFERENCE WORKSHOP • SECURITY TRACK 

WPR306: DESKTOP SECURITY IN THE REAL WORLD 
DEREK MELBER 

Join Derek Melber for an in-depth exploration of some of the most 
important and sometimes complex areas of desktop management and 
security. The session will cover topics including imaging capabilities, 
application compatibility, and desktop management. New technology will 
be in Server 2008... there are key desktop security settings that will 
save you hundreds of manhours. We all know that security is at the 
forefront of our minds and responsibilities, so using WSUS, Group 
Policy, MBSA, etc. are essential for ensuring your desktops are secure. 

We will also go over some of the most important settings and 
configurations that you can make to ensure your systems will be secure 
with the introduction of Vista into your organization. These 
technologies include PolicyMaker technologies and User Account 
Control... Do you have it turned on? 

1PM-4PM • PRE-CONFERENCE WORKSHOP • SECURITY TRACK 

WPR307: WINDOWS SECURITY, AUDITING, AND COMPLIANCE 
DEREK MELBER 

Dive into all aspects of Windows security from an audit and compliance 
standpoint. Derek Melber, renowned speaker and author of four books on the 
topic, will cover server and desktop security, as well as Active Directory and 
Group Policy security and delegation. Discover what Windows Server 2008 
and Windows Vista offer your security initiatives. The focus of this workshop 
is beyond the mere configuration or implementation of security settings; 
rather, it is on how to successfully leverage auditing to discover and fix those 
areas that are not up to snuff for compliance. 
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9AM-12PM • PRE-CONFERENCE WORKSHOP • VIRTUALIZATION TRACK 

WPRE03: VIRTUALIZATION: A JUMP START 

ALAN SUGANO 

Virtualization is one of the hot topics this year. With significant increases in 
performance of the current generation of server hardware with quad-core 
processors, high memory capacity, and Serial Attached SCSI (SAS) drives, 
much of the processing power on a server goes unused. Virtualization 
allows you to take advantage of this processing power by running several 
virtualized servers on one physical host. If you're considering virtualization 
and are new to this technology, this workshop will get you up to speed on 
this technology. You'll learn about the following topics: 

Virtualization hardware. Server processors, memory, and hard drive 
configurations. Optimization of the hardware and the virtual environ¬ 
ment for the best virtual guest performance. Running the x64 plat¬ 
form for virtual hosts and guests. 

Virtualization software (Virtual Server 2005, VMware Server, 

ESX Server). 

Backup strategies of virtual servers. 

Virtualization and high availability. Learn about the high availability 
solutions from Microsoft and VMware in the virtual server environment. 
Virtual guest limitations and how to determine if virtualization 
is a good fit for your application. 

1PM-4PM • PRE-CONFERENCE WORKSHOP • VIRTUALIZATION TRACK 

WPRE05: VIRTUALIZING MICROSOFT SERVER APPLICATIONS 

ALAN SUGANO 

Virtualization is a great technology, but how does it fit in with Microsoft 
Server Applications? This workshop will focus on SQL Server, Exchange 
2007, and WSS 3.0/M0SS 2007 in a virtual environment. Each server 
application has different needs in a virtual environment. For each 
server application we will examine the following issues: 

To virtualize or not virtualize, this is the first question! 

32- or 64-bit? 

Server configuration: Number of processors, type, memory, 
disk configuration, network cards, SAN type? 

What virtualization software should you use for your application? 

How do you configure guests for the best performance? 

How many users can you place on each virtual server? 

How many virtual guests can you place on a host? 

What are the High Availability Solutions for an environment? 


SESSIONS AND SPEAKERS ARE SUBJECT TO CHANGE. 

SEE WEB SITE FOR UPDATES AND ADDITIONAL SESSIONS. 
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11/9/2007 


9AM-4PM • POST-CONFERENCE WORKSHOP • EXCHANGE TRACK 

EPS301: APPLYING SECURITY AND ENFORCING COMPLIANCE 
WITH EXCHANGE SERVER 2007 (BRING YOUR OWN LAPTOP) 
PETER O'DOWD 

Exchange messaging security is a giant topic, covering message access, 
encryption, retention, anti-spam, antivirus, and more. Add to that the 
powerful new compliance features of Exchange Server 2007 and you have an 
intensive one-day instructor-led workshop that will arm you with the knowl¬ 
edge necessary to secure your Exchange Server 2007 messaging 
system. Using virtual computers running on your laptop, you'll walk through 
several security and compliance labs developed by Wadeware® and led 
by Exchange expert and MVP Peter O'Dowd that will show you how to 
implement and work with the many new security and compliance features of 
Exchange Server 2007. 

NOTE: The laptop you bring MUST have at least 1GB of memory and a DVD drive. 


9AM-4PM • POST-CONFERENCE WORKSHOP • WINDOWS TRACK 

WPS301: CREATE A TEST ENVIRONMENT, VIRTUALLY AND 
INEXPENSIVELY (BRING YOUR OWN LAPTOP) 

RHONDA LAYFIELD 

Have you ever wanted a test environment but didn't know where or how to 
start? Purchasing new hardware to sacrifice to a test network can be pretty 
costly, not to mention the amount of time it takes to build and maintain the 
test environment. While this task can seem overwhelming, it doesn't have 
to be. This workshop will give you hands-on experience in creating your 
very own test environment that mirrors your production environment with 
built-in disaster recovery! Now think about that for a second-regardless of 
the technology you reguire in your test lab, be it SQL, Exchange, Active 
Directory, or a development test environment, these step-by-step labs will 
work for all, and you get to perform them live. Attendees will need a CD 
drive, at least 1 GB of RAM and XP SP2 as their OS. Also download the 


9AM-4PM • POST-CONFERENCE WORKSHOP • WINDOWS TRACK 

WPS302: REIMAGINING IT ADMINISTRATION: ROLE-BASED 
MANAGEMENT, PROVISIONING, AND ACCELERATED 
ADMINISTRATION 
DAN HOLME 

Find out why this workshop, completely revised for Windows Server 2008 and 
Windows Vista, is consistently rated as a "best of breed" session, delivered as 
a capstone to your Windows Connections experience. From his work with thou¬ 
sands of IT professionals, from the CIOs of Fortune companies to front-line sup¬ 
port professionals, Dan Holme has amassed a wealth of experience and expert¬ 
ise-solutions which enable you to deliver real-world best practices within the 
constraints of real-world budgets and technologies. This workshop will be 
invaluable for companies wanting to maximize their investment in their 
Windows infrastructure. 

ACTIVE DIRECTORY EXTREME MAKEOVER: You will discover how to implement 
role-based management, in which users are defined by their business roles and 
where resource access and configuration are instantly, accurately, and 
auditably applied. Empower your enterprise to enable a documented, auditable 
structure for resource security, asset management, and more. Also learn how 
to implement a role-based AD administration model with a scripted, thorough¬ 
ly documented delegation. 

PROVISIONING: You have the technology. Your business has processes. But 
too commonly they are not aligned. Learn how concepts of provisioning can 
enable you to support business processes through easy-to-implement solu¬ 
tions for scenarios including user management, new and replaced comput¬ 
ers, and group membership tracking, to name a few. 

ACCELERATED ADMINISTRATION: Learn the tricks that Dan has developed with 
enterprises large and small to facilitate administration and security. Dan will 
focus on creating highly customized and effective MMC consoles, scripts, 
intranet pages, and toolsets utilizing the native Windows administrative tools, 
support tools, and Resource Kit and free third-party utilities. 

Get in early! This workshop includes a sneak peek at solutions in Dan's new 
Windows Server 2008 Resource Kit book, "IT PRO SOLUTIONS KIT." Be sure to 
visit the Windows Connections Web site for the most up-to-date list of topics 
that will be covered in this workshop. 


latest version of VMware Workstation 30-day eval copy, which will be used to 

create your own virtual test environment live, in class. You will also be able SESSIONS AND SPEAKERS ARE SUBJECT TO CHANGE, 

to take these step-by-step labs back to work with you and create your own SEE WEB SITE FOR UPDATES AND ADDITIONAL SESSIONS, 

virtual test environment, no muss no fuss, and no drain on your budget! 


9AM-12PM • POST-CONFERENCE WORKSHOP • OFFICE TRACK 

OPROI: MAKING THE MOST OF MICROSOFT OFFICE 
PHILIP WIEST 

In this fast-paced, half-day event, you'll learn what you and your users can do 
to make more out of two ubiquitous Office applications: Outlook and Excel 2007. 
OUTLOOK: What's the name of the program you use every day that when you 
open it says, "Look Out", er "Outlook"? If you've got more than 80 e-mails in 
your Inbox or unread mail promoting the release of Windows 2000, you're on 
your way to e-mail rehab. The workshop features Flags, Filters, Rules, and 
something we call Raiders of the Lost Archive. Teach your Users how to 
become e-mail savvy, e-mail efficient, and effective e-mail engineers. 

EXCEL: You know there are some killer features in Microsoft Excel—you're just 
too overworked, underpaid, and busy putting out end-user fires to figure 
them out. Why not bring your staff something back from Vegas that they can 
actually use-like advanced Excel skills and techniques. Warning: What hap¬ 
pens in this session doesn't have to stay in Vegas. You'll use these skills and 
techniques every day. This session features Fills, Formulas, and above all, 
fun. If you thought cells were only for celebrities, think again! 


SPONSORSHIP/EXHIBIT INFORMATION 


For sponsorship 
information, 
contact 

Rod Dunlap 

Tel: 480-917-3527 
E-mail: rod@devconnections.com 

SEE WEB SITE 
FOR MORE DETAILS. 
www.WinConnections.com 
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Call 800-505-1201 to take advantage of group discount pricing. 


NOTES & POLICIES: The Conference Producers reserve the right to cancel the conference by refunding the regis¬ 
tration fee. Producers can substitute speakers and topics and cancel sessions without notice or obligation. 
Updates will be posted on our Web site a t www.WinConnections.com. Tape recording, photography is not allowed 
at any session. Conference producers will be taking candid pictures of events and reserve the right to reproduce. 
By attending this conference you agree to this policy. You may transfer this registration to a colleague. Please 
inform us if you have any special needs or dietary restrictions when you register. The conference registration 
includes a one-year print subscription to Windows IT Pro. Current subscribers will have an additional one year added 
to their subscription. Subscriptions outside of the United States and Canada will be digital. $25 of the funds will be 
allocated toward a subscription to Windows IT Pro ($49.95 value). REGISTRATION & CANCELLATION POLICY: 
Registrations are not confirmed until payment is received. Cancellations before September 20,2007 must be 
received in writing and will be refunded minus a $100 processing fee. After September 20,2007 cancellations and 
no shows are liable for full registration, it can be transferred to the next Connections conference within 12 months 
or to another person. Active Directory, Microsoft, MSDN, Outlook, Windows NT, Windows Server, Windows Vista, and 
Windows are either trademarks or registered trademarks of Microsoft Corporation. All other trademarks are prop¬ 
erty of their owners. 


HOTEL ACCOMMODATIONS 

Mandalay Bay Resort and Casino, 

3950 Las Vegas Blvd. South, Las Vegas, 
Nevada, is the conference site and host 
hotel. SPACE IS LIMITED so reserve your 
room early by calling the conference hotline 
at 800-505-1201 or 203-268-3204. 

* NOTE: ROOMS AT MANDALAY BAY HAVE BEEN TOTALLY REMODELED, 
VERY COOL! SPACE IS LIMITED • LAST YEAR ROOMS SOLD OUT EARLY 
SO BOOK YOUR ROOM TODAY! 

AIRLINE 

Please call Pericas Travel at 203-562-6668 
for airline reservations. 

CAR RENTAL 

Hertz is offering auto rental discounts to 
attendees. Call the Hertz Meeting Desk at 
800-654-2240 for reservations and refer to 
code CV# 010R0032 to receive your 
attendee discount. 

ATTIRE 

The recommended dress for the conference 
is casual and comfortable. Please bring 
along a sweater or jacket, as the ballrooms 
can get cool with the hotel's air conditioning. 

SPONSORSHIP/EXHIBIT INFORMATION 

For sponsorship information, 

contact Rod Dunlap 

480-917-3527 phone 

E-mail rod@devconnections.com 

See Web site for more details. 

www.WinConnections.com 


Network with your colleagues at 
Mandalay Bay Resort & Casino! 

There's so much to do, you'll never 
have to leave this 4-star resort! 

11-acre tropical lagoon 
Sandy beach 
3/4 mile lazy river 

30,000 sq.ft, luxury spa and fitness center 
16 restaurants on site, including The House of Blues 
135,000 sq.ft, casino 

12,000 seat sports/entertainment complex 
Shark Reef: Not your typical aquarium! 

TAX DEDUCTION 

Your attendance to a DevConnections conference may be 
tax deductible. Visit www.irs.ustreas.aov. Look for topic 
513 - Educational Expenses. You may be able to deduct the confer¬ 
ence fee if you undertake to (1) maintain or improve skills required 
in your present job; (2) fulfill an employment condition mandated 
by your employer to keep your salary, status, or job. 

GROUP DISCOUNT 

Register individuals from one company at 
the same time and receive a group discount. 


1-3 registrants 

$1,395 per person 
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after the 3rd 
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$1,195 per person 

($200 off each) 
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ONLINE 

www.WinConnections.com 

E-MAIL 

info@devconnections.com 

PHONE 

(800) 505-1201, (203) 268-3204 

FAX 

(203) 261-3884 

MAIL 

Microsoft Exchange Connections 2007 
Windows Connections 2007 
Office Connections 2007 
c/o Tech Conferences, Inc. 

731 Main Street, Suite D-3 
Monroe, CT 06468 


□ 

Microsoft Exchange Connections. 

.on or before September 6,2007. 

.after September 6,2007 . 

.$1295.00 

.$1395.00 

□ 

Windows Connections. 
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.$1295.00 
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□ 

Office Connections. 

.on or before September 6,2007. 
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.after September 6,2007 . 

.$1395.00 

□ 

SharePoint Connections. 

.on or before September 6,2007. 

.after September 6,2007 . 

.$1295.00 

.$1395.00 


PRE-CONFERENCE WORKSHOPS SUNDAY, NOVEMBER 4, 2007 LUNCH IS INCLUDED WITH FULL DAY WORKSHOPS. 


□ 9:00AM - 4:00PM U-Fix-lt: Troubleshooting Exchange Server 2007 O'DOWD.$399 _ 

□ 9:00AM - 4:00PM Windows Powershell: Powerful Fundamentals JONES & HICKS.$399 _ 
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□ 9:00AM - 4:00PM The Perfect Desktop ... LAYFIELD & HOLME.$399 _ 
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□ 1:00PM - 4:00PM Virtualizing Microsoft Server Applications SUGANO.$199 _ 
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□ 9:00AM - 4:00PM Applying Security and Enforcing Compliance with Exchange Server 2007 O'DOWD ..$399 _ 

□ 9:00AM - 4:00PM Create a Test Environment, Virtually and Inexpensively LAYFIELD.$399 _ 

□ 9:00AM -12:00PM Making the Most of Microsoft Office WIEST.$199 _ 

□ 9:00AM - 4:00PM Reimagining IT Administration ... HOLME .$399 _ 

CONFERENCE MATERIALS Full conference registration includes materials for the one conference for which you register. 
You may purchase materials for the other concurrently run events. 

□ Microsoft Exchange Connections Resource CD.$75_ 

□ Windows Connections Resource CD .$75_ 

□ SharePoint Connections Resource CD.$75_ 

□ Office Connections Resource CD.$75_ 


PAYMENT TOTAL 


♦IMPORTANT: You must reference Microsoft Exchange Connections, Windows Connections, SharePoint Connections, or Office Connections on your check. 
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Feature I SoftGrid 



as on Microsoft SQL Server Desktop Engine 
(MSDE) in test environments. The data store 
doesn't need to be on the same server as the 
application, although it should be on the same 
local network. 

A directory service such as Active Direc¬ 
tory (AD) is also required for the SoftGrid 
suite to function. A Windows NT 4.0 domain 
is sufficient, but I'd be surprised if someone 
were forward thinking enough to use appli¬ 
cation virtualization but were still running 
NT 4.0. During installation, you must specify 
an account with read access to the directory 
service. You also need two global groups to 
identify SoftGrid administrators and users who 
can use SoftGrid's services. If all users in the 
domain need access to SoftGrid, you can add 
the Domain Users group to this global group. 

You can install SoftGrid on Windows Server 


2003 or Windows 2000 Server. The SoftGrid 
Management Console runs on Windows 2003 
or Windows XP and requires .NET Frame¬ 
work 1.1 and Microsoft Management Console 
(MMC) 3.0, which is included in Windows 
2003 R2 and can be downloaded from Micro¬ 
soft for other OS platforms. 

The SoftGrid System Center Virtual Appli¬ 
cation Server component requires a Pentium 
III 1GHz processor, at least 512MB of memory, 
and 200MB of disk space. The more applica¬ 
tions you virtualize, the more disk space you'll 
need. You can use the Windows load-balanc¬ 
ing functionality or hardware load balancers 
to install and balance multiple SoftGrid Virtual 
Application Server machines. 

To protect the data store, don't use MSDE in 
a production environment. MSDE has limited 
recoverability and replication capabilities, as 
well as limited manage¬ 
ment options. If you're 
running multiple SoftGrid 
servers in an environment 
that requires high avail¬ 
ability, use SQL Server 
and Windows clustering 
services to remove any 
single points of failure. 

SoftGrid's documen¬ 
tation includes detailed 
installation instructions. 
Be sure that you've read 
and met the prerequisites 
of creating an AD account 
and groups for SoftGrid 
to use, as Figure 3 shows. 
To reduce administrative 
overhead, you can set the 
AD account password 
to never expire. How¬ 
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Figure 4: Updating the AD account password 


ever, doing so might cause security problems. 
Establish a routine for regularly changing the 
password. Then, you can use the SoftGrid 
Management Console's Account Authority 
property settings to easily update the pass¬ 
word, as Figure 4 shows. 

During installation, you're prompted for 
various pieces of information, including the 
following: 

• Components to install (you can have a dis¬ 
tributed environment with various server 
components spread over multiple servers) 

• Whether to use SQL Server or MSDE (you 
need to specify the database server if you 
use SQL Server; MSDE is installed by 
default) 

• AD account to use, including the permis¬ 
sion groups you created 

• The path to use for storing application con¬ 
tent (which by default is C:\Program Files\ 
Softricity\SoftGrid Server\content) 

After installation is complete, the Soft- 
Grid Management Console is available in the 
Administrative Tools program group. On first 
execution, the Management Console asks for 
the SoftGrid system to connect to. SoftGrid 
operates over port 80 and requires the name 
of the SoftGrid Management Web Service. As 
I already explained, the Management Con¬ 
sole never communicates with the data store 
directly; all communication occurs through the 
Management Web Service. 


More to Come 

Application virtualization is a hot trend. Micro¬ 
soft's SoftGrid lets you easily virtualize appli¬ 
cations without requiring a lot of overhead. 
In addition, the SystemGuard environment 
lets applications run simultaneously without 
encountering any compatibility issues. To test 
the product, I experimented with virtualizing 
Microsoft Office XP and Office 2003; I found 
the process to be very smooth and intuitive. 
In a subsequent article, I'll explain how to use 
SoftGrid to virtualize applications. ^ 

InstantDoc ID 96625 


John Savill 

(john@savilltech.com) is a manager in the Microsoft 
Practice division of EMC Global Services, where he devel¬ 
ops infrastructure solutions. He is the author of Windows 
Server 2003Active Directory Design and Implementation 
(Packt Publishing) and is writing a book about Windows 
Server 2008. 
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Defragment Every Drive On Your Enterprise 
Without Leaving Your Chair 
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PerfectD sk Command Center™ 
Perfection Made Automatic 


Introducing 



Centralized Management 
And Reporting 

Patent-pending 
Resource Saver™ Technology 

Exclusive Space 
Restoration™ Technology 

Exclusive AutoPilot 
Scheduling™ 



SOFTWARE 


1-800-546-9728 

www.raxco.com 


Recognized as the world's most powerful 
defragmenter, PerfectDisk has always been the 
secret to faster, more reliable computers. Now, 
with a powerful new suite of enterprise tools, 
PerfectDisk 8.0 takes disk defragmentation to 
the farthest reaches of the enterprise, while 
placing total control right at your fingertips. 

Are you sitting down? Good. Because 
with the PerfectDisk Command Center™ you 
can easily deploy, configure and manage the 
defragmentation of every system on the enter¬ 
prise... all from the comfort of your own desk¬ 
top. And that's just the beginning. 

Our all new enterprise reports deliver 
valuable performance statistics and at-a-glance 
graphical displays that track and identify any 
fragmentation issue on any managed computer, 
and much more. 

In addition, PerfectDisk's patent-pending 
Resource Saver™ technology finds file frag¬ 
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mentation without having to first open the file, 
further reducing any system impact of defrag¬ 
mentation. And new disk and CPU throttling 
provide even greater control over resources. 

What's more, Raxco's exclusive AutoPilot 
Scheduling™ provides automatic defragmenta¬ 
tion at the optimal time for each user. And 
AutoPilot Scheduling's Screen Saver Mode 
enables idle-time defragging at user-defined 
intervals. (There's really nothing to it.) 

And features like our Single File Defrag 
and Consolidate Free Space Defrag (part of 
PerfectDisk's Space Restoration Technology™) 
are particularly valuable for users working with 
supersize files. 

Give your users reason to stand up and 
cheer. And while PerfectDisk 8.0 is busy keep¬ 
ing each computer in tip top shape, you can sit 
back and simply take the credit. For the details 
and a free demo, visit 

www.pdcommandcenter. com 





Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. PerfectDisk is a registered trademark of Raxco 
Software. PC Magazine Editors’ Choice Award Logo is a registered trademark of Ziff Davis Publishing Holdings Inc. Used under license. All other product names mentioned herein are the trademarks of 
their respective owners. 
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■ ADD YOUR 
WINDOWS SERVER 
STORAGE TO YOUR 
FIBRE CHANNEL 
NETWORK 



| odern data centers typically run their most mission- 
critical business applications on Fibre Channel SANs. 
Fibre Channel has a proven track record in enabling fast 
performance and high availability of application data as 
I I well as established best practices for data backup and 

disaster recovery. Not all business applications, however, require the band¬ 
width of 4Gbps Fibre Channel, and large data centers might have hundreds 
of second-tier standalone rack-mounted servers still using direct-attached 
storage. Some find it hard to justify the cost of a $1,000 Fibre Channel host 
bus adapter (HBA) when the server itself cost less than $3,000. On the other 
hand, standalone servers incur more administrative overhead per server, 
particularly for backup operations. 

Until the advent of iSCSI, there were few options for economically 
integrating all application, Web-hosting, and file servers into the data 
center SAN. iSCSI and iSCSI gateways, however, now provide the means 
to streamline the management and backup of second-tier servers and 
integrate these servers into the Fibre Channel SAN. This integration 
extends data center best practices to all server assets and can amortize 
the substantial investment in a data center SAN over a much larger 
population of attached devices. 

Microsoft offers new iSCSI-enabling software, making it possible to 
cost effectively bring Windows servers into the data center. Let's look at 
the steps required to make this happen and factors you need to consider. 
First—a little background on iSCSI. 


iSCSI Essentials 

Like traditional parallel SCSI, 
the iSCSI protocol enables reads 
and writes of data in high-perfor¬ 
mance block format. However, 
by serializing SCSI commands, status, and 
data, iSCSI overcomes the distance limita¬ 
tions of parallel SCSI cabling and simpli¬ 
fies deployment and maintenance. Because 
iSCSI runs over TCP/IP, it can be transported 
over conventional Gigabit Ethernet networks 
and wide-area IP networks. Figure 1, page 
52, illustrates how conventional SCSI is 
wrapped in TCP/IP for transport. 

Using economical Gigabit Ethernet 
interface cards and Gigabit Ethernet switches keeps the iSCSI per-server 
attachment cost low and works fine in many situations. Some vendors 
do provide iSCSI HBAs that optimize iSCSI processing via TCP offload 
engines (TOEs) and onboard iSCSI processing logic. iSCSI HBAs are 
required for boot from SAN applications, and they're suitable for appli¬ 
cations that require high bandwidth, but they increase per-server attach¬ 
ment costs. In this article, I assume standard Gigabit Ethernet NICs. With 
the faster 10 Gigabit Ethernet, you lose most of the cost advantage over 
Fibre Channel. 

For Windows storage management, an iSCSI target appears as just 
another storage resource that can be assigned a drive letter, formatted, 
and used for applications and data. Instead of being housed inside 
the server or connected by parallel cabling, though, the iSCSI storage 
resource can be anywhere in an IP-routed network. Because iSCSI is a 
block storage protocol, the latency of long-distance connections over 
a WAN might have a serious negative effect on performance or cause 
timeouts. Typically, iSCSI is best deployed within a data center, campus, 
or metro environment. 

Microsoft iSCSI Support 

Microsoft's introduction of iSCSI initiator and Internet Storage Name 
Service (iSNS) software provides an economical means to bring even 
low-cost Windows servers and workstations into the data center SAN 
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infrastructure. Microsoft iSCSI Software Initia¬ 
tor enables connection of a Windows host to 
an external iSCSI storage array. Microsoft iSNS 
Server discovers targets on an iSCSI network. 

As of this writing, iSCSI Software Initiator 
2.04 is available free on the Microsoft Down¬ 
load Center and requires Windows Server 
2003 or later, Windows XP Professional SP1 or 
later, or Windows 2000 SP3 or later. Download 
it at http://www.microsoft.com/downloads/ 
details. aspx?familyid=12cb3c 1 a-15d6-4585- 

b385-befdl319f825&displaylang=en. Micro¬ 
soft iSNS server code is also available as a 
free download and requires Windows Server 
2003 or Windows 2000 SP4. Download it 
at http://www.microsoft.com/downloads/ 
details.aspx?familvid=0dbc4af5-9410-4080- 

a545-f90b45650e20&displaylang=en. 

Microsoft has included some attractive 
features in iSCSI Software Initiator, includ¬ 
ing multipathing, security, and support for 
server clustering to iSCSI targets. Multipath¬ 
ing with the Microsoft Multipath I/O (MPIO) 
driver included in iSCSI Software Initiator 
provides for higher availability through failover 
and better performance through load bal¬ 
ancing. Secure connections between iSCSI 


initiators and storage targets are supported 
with Challenge Handshake Authentication 
Protocol (CHAP) and IPsec for data-payload 
encryption. Authentication and encryption 
might be required when storage data traverses 
an untrusted network segment. Support for 
clustering enables iSCSI storage to be used for 
Microsoft Exchange Server or Microsoft SQL 
Server clusters. For the configurations dis¬ 
cussed below, the Exchange or SQL Server data 
can be managed centrally and protected on the 
SAN, while clustering provides high availability 
of applications to end users. 

iSNS Server isn't mandatory, but it does 
simplify iSCSI deployment by enabling auto¬ 
matic discovery of iSCSI target resources. It 
can be run on a dedicated server or coexist 
with other server applications. Essentially, 
iSNS Server combines the capabilities of DNS 
with conventional discovery services provided 
by the Simple Name Server (SNS) of Fibre 
Channel fabrics. In Fibre Channel switches 
and directors, for example, the SNS contains 
information about all storage assets in the 
SAN. As a storage array or tape subsystem is 
attached to the SAN, it registers with the SNS. 
When Fibre Channel initiators connect to the 


fabric, they query the SNS for available storage 
resources. The resources that are reported to a 
specific initiator can be filtered by use of zon¬ 
ing and LUN masking. This prevents initiators 
from accessing unauthorized storage assets 
(e.g., stopping a Windows server from binding 
to a UNIX storage array). 

The iSCSI Gateway 

An iSCSI gateway provides protocol conversion 
between iSCSI initiators and Fibre Channel- 
attached storage targets. An iSCSI gateway effec¬ 
tively proxies for each side, presenting a virtual 
Fibre Channel initiator to the real Fibre Channel 
target and a virtual iSCSI target to the real iSCSI 
initiator, as Figure 2 shows. Consequently, when 
setting up an iSCSI gateway, you must follow the 
respective rules of both protocols. 

Because Fibre Channel connections today 
are typically 2Gbps or 4Gbps and iSCSI is typi¬ 
cally lGbps, you can aggregate more iSCSI serv¬ 
ers per Fibre Channel storage port on an iSCSI 
gateway than you can Fibre Channel servers. 
In conventional business application environ¬ 
ments running at lGbps end to end, a typical 
ratio of servers to storage ports (known as the 
fan-in ratio) might be 7:1. An iSCSI gateway that 
provides lGbps port connections for iSCSI ini¬ 
tiators and 4Gbps connections for storage ports 
can enable a much higher fan-in ratio of 18:1 or 
greater. For iSCSI initiators, you implement the 
higher fan-in ratio by attaching multiple iSCSI 
servers to a Gigabit Ethernet switch, which in 
turn provides a lGbps connection to the iSCSI 
gateway for every fan-in group. An iSCSI gate¬ 
way that offers four lGbps Ethernet ports and 
several 4Gbps Fibre Channel ports can support 
70 or more iSCSI initiators concurrently. 

The other factor to consider when scop¬ 
ing fan-in ratios is the maximum number of 
concurrent iSCSI sessions per gateway port 
that the storage vendor has certified. An iSCSI 
gateway might support up to 50 iSCSI sessions 
per Gigabit Ethernet port, whereas the storage 
vendor might certify only a more conservative 
20 sessions per port. Each storage vendor does 
its own certification and testing of iSCSI gate¬ 
way products and sets its own supported limit 
for each. 

Bringing iSCSI Servers into 
the SAN 

As you plan for integrating iSCSI-attached 
Windows servers into your SAN, identify the 
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iSCSI gateway proxies both iSCSI target and Fibre Channel initiator 
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collective storage capacity required for all the 
newly attached iSCSI servers, the average stor¬ 
age traffic generated by the second-tier appli¬ 
cations running on the servers, and the initial 
fan-in ratio that best suits the aggregate traffic 
load to help size both SAN and iSCSI gateway 
requirements. It might be fairly easy to identify 
the amount of storage capacity each second- 
tier server needs, but it's usually more difficult 
to identify storage traffic patterns and loads, 
particularly for "bursty" applications. It's best, 
then, to start with a fairly conservative fan-in 
ratio (e.g., 7:1 or lower) and gradually increase 
the number of iSCSI servers per iSCSI gateway 
port until you reach the optimum fan-in for 
your situation. 

Deploying second-tier iSCSI servers into 
an existing Fibre Channel SAN requires three 
basic steps: configuring the existing Fibre 
Channel storage array for additional hosts, 
setting up the iSCSI gateway for both virtual 
Fibre Channel initiator and virtual iSCSI tar¬ 
get connections, and installing the Microsoft 
iSCSI initiator and iSNS (if desired) software 
for host connection. No one step is particularly 
difficult, but the process might require col¬ 
laboration between server administrators and 
SAN administrators if those functions aren't 
combined in your environment. 

Step 1: Configuring SAN storage for new 


Learning Path 


1 For more information about Fibre Channel 

and iSCSI SANs: 


1 “Windows Embraces iSCSI Storage,” InstantDoc ID 

41653 


1 “Exchange and SANs: No Magic Bullet,” InstantDoc 

ID 47322 

To learn about Fibre Channel zoning: 

“Storage Area Network Security,” 
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iSCSI hosts. Because you're using an iSCSI 
gateway to integrate additional servers, no spe¬ 
cial process is required to configure additional 
storage capacity. From the SAN administrator's 
standpoint, the new LUNs are being config¬ 
ured for traditional Fibre Channel initiators, 
which in fact have a virtual existence within 
the iSCSI gateway. Consequently, you create 
additional LUNs with the desired capacity as 
usual by using the storage vendor's configura¬ 
tion utility, and the appropriate number of new 
storage ports (determined by the fan-in ratio) 
are connected to the SAN fabric. 

Although an iSCSI gateway platform might 
allow direct connection between the gateway 
and SAN storage, data center administrators 
might prefer to drive all storage connections 
through Fibre Channel directors or switches. 
In this case, you connect both storage ports 
and iSCSI gateway Fibre Channel ports to the 
fabric and configure zoning or LUN masking 
at the fabric level. Each new storage port is 
represented by a unique World Wide Name 
(WWN), which you use to configure zoning 
and connectivity to the iSCSI gateway. 

Every storage vendor provides its own 
management utility for creating LUNs from the 
total capacity of the storage array. Typically, 
these utilities are GUI-based and fairly simple 
to configure. Likewise, individual fabric switch 
vendors provide utilities for configuring switch 
ports, zone groups, and LUN masking. It's 
important to remember that although you're 
configuring SAN resources to connect iSCSI 
initiators, the storage arrays and fabric see only 
Fibre Channel initiators proxied by the iSCSI 
gateway. 

Step 2: Setting up the iSCSI gateway. The 
iSCSI gateway configuration has two basic 
components. You configure and bind the 
iSCSI initiators to their respective virtual iSCSI 
targets. And, likewise, you configure and bind 
the real Fibre Channel targets to their respec¬ 


tive virtual Fibre Channel initiators. Typically, 
the configuration utility provided by the iSCSI 
gateway vendor streamlines this dual process 
so that when you configure an iSCSI initiator, 
the proxy Fibre Channel initiator is created 
automatically. 

You register iSCSI initiators by iSCSI iden¬ 
tifiers and register SAN resources by WWNs 
and Fibre Channel IDs (FCIDs) on the iSCSI 
gateway. You must determine these respective 
identifiers in advance to properly configure the 
iSCSI gateway. In Figure 3, the configuration 
utility for an iSCSI gateway (in this example, 
a Brocade M2640) shows an iSCSI initiator 
defined by iSCSI identifier and alias, IP address, 
and proxied WWNs. 

The iSCSI gateway might include addi¬ 
tional utilities for implementing CHAP or 
IPsec for security. As with general address 
information, you should determine any CHAP 
parameters or IPsec addressing in advance to 
simplify gateway installation. 

Because each iSCSI gateway vendor pro¬ 
vides its own unique utility for configuring 
iSCSI hosts and SAN targets, I can't provide a 
step-by-step example for gateway configura¬ 
tion. The common requirements, though, are 
to configure iSCSI initiator properties, config¬ 
ure proxied targets, and define LUN masking 
parameters for the target volumes. 

Step 3: Configure the iSCSI hosts. Along 
with its free iSCSI Software Initiator, Microsoft 
provides detailed installation instructions in 
a downloadable users' guide. Once you've 
installed the software on a Windows server, the 
basic steps are to assign an iSCSI initiator node 
name for the server, configure any desired 
security features, discover (via iSNS) or define 
targets available for the server, and bind the 
iSCSI host to the appropriate targets. 

After you've set the initiator parameters on 
the General tab of the iSCSI Initiator Proper¬ 
ties dialog box, use the Discovery tab to either 


54 Windows IT Pro SEPTEMBER 2007 


We’re in IT with You 


www.windowsitpro.com 










































Feature I Make the Most of Your SAN 


discover through iSNS or manually enter the IP 
address of intended targets. If you install iSNS 
on a LAN-attached server, it will periodically 
check for the existence of any additional iSCSI 
targets. In this example, those targets are rep¬ 
resented by the iSCSI gateway. Alternatively, 
click Add in the Target Portals area of the Dis¬ 
covery tab to manually identify targets. 

After you've defined targets, use the Targets 
tab to select and log on to the proxied iSCSI 
targets. As Figure 4 shows, the logon window 
also enables you to select whether a target is 
persistent and whether multipathing is used 
for this connection. Click Advanced in the 
logon window to configure cyclical redun¬ 
dancy check (CRC), CHAP, and IPsec settings 
for this connection. 

Once the logon session between the iSCSI 
initiator and proxied iSCSI target is active, you 
can configure the iSCSI storage volume via the 
Windows Disk Management utility, assign it a 
drive letter, and format it for use. 


A Dedicated IP SAN 

Compared with a messaging LAN (i.e., a LAN 
that carries application traffic as opposed to 
storage traffic), a Fibre Channel SAN is inher¬ 
ently a separate network, with its own cabling 
scheme, protocols, and fabric infrastructure. 
If properly designed, congestion on a Fibre 
Channel SAN should be minimal and high 
availability is enhanced through redundant 
pathing between initiators and targets. 

One of the more marketed aspects of 
iSCSI is that it can be run over common 
LAN infrastructures by using relatively cheap 
Gigabit Ethernet switches. This means that 
storage and messaging traffic coexists on the 
same LAN. Certainly there are no significant 
technical barriers to prevent this. However, 
Microsoft and, in particular, storage vendors 
typically advise against combining storage 
and messaging traffic on the same network. 
Messaging traffic can withstand wide fluc¬ 
tuations in latency, congestion, and packet 
loss and recovery; storage traffic can't. Con¬ 
sequently, the Ethernet network between 
the iSCSI gateway and the complex of iSCSI 
initiators it's serving should be a dedicated IP 
SAN, as Figure 5 shows. 

Designing a dedicated IP SAN from the 
start takes advantage of more low-cost per- 
server connection and use of commodity 
Gigabit Ethernet switches, and it allows you to 
scale the IP SAN over time to accommodate 
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additional servers 
without significantly 
impacting (or being 
impacted by) the cor¬ 
porate LAN. 

iSCSI is now a 
mature storage tech¬ 
nology and is being 
deployed for small 
departmental opera¬ 
tions as well as data 
center applications. 

Today, Fibre Channel 
is still the transport of 
choice for many data 
centers with high 
bandwidth and high 
availability require¬ 
ments. Combining 

iSCSI and Fibre Channel SAN technologies 
helps administrators bring all server assets into 
a common storage infrastructure and provide 
best practices handling of all corporate data. 


General| Discovery Targets | Persistent Targets | Bound Volumes/Devices | 

Select a target and click Log On to access the storage devices for that 
target. Click details to see information about the sessions, connections and 
devices for that target. 


Targets: 


Target name: 


P Automatically restore this connection when the system boots 
P Enable multi-path 

Only select this option if iSCSI multi-path software is already installed 
on your computer. 




Figure 4: Logging on to a proxied iSCSI target 
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discover through iSNS or manually enter the IP 
address of intended targets. If you install iSNS 
on a LAN-attached server, it will periodically 
check for the existence of any additional iSCSI 
targets. In this example, those targets are rep¬ 
resented by the iSCSI gateway. Alternatively, 
click Add in the Target Portals area of the Dis¬ 
covery tab to manually identify targets. 

After you've defined targets, use the Targets 
tab to select and log on to the proxied iSCSI 
targets. As Figure 4 shows, the logon window 
also enables you to select whether a target is 
persistent and whether multipathing is used 
for this connection. Click Advanced in the 
logon window to configure cyclical redun¬ 
dancy check (CRC), CHAP, and IPsec settings 
for this connection. 

Once the logon session between the iSCSI 
initiator and proxied iSCSI target is active, you 
can configure the iSCSI storage volume via the 
Windows Disk Management utility, assign it a 
drive letter, and format it for use. 


A Dedicated IP SAN 

Compared with a messaging LAN (i.e., a LAN 
that carries application traffic as opposed to 
storage traffic), a Fibre Channel SAN is inher¬ 
ently a separate network, with its own cabling 
scheme, protocols, and fabric infrastructure. 
If properly designed, congestion on a Fibre 
Channel SAN should be minimal and high 
availability is enhanced through redundant 
pathing between initiators and targets. 

One of the more marketed aspects of 
iSCSI is that it can be run over common 
LAN infrastructures by using relatively cheap 
Gigabit Ethernet switches. This means that 
storage and messaging traffic coexists on the 
same LAN. Certainly there are no significant 
technical barriers to prevent this. However, 
Microsoft and, in particular, storage vendors 
typically advise against combining storage 
and messaging traffic on the same network. 
Messaging traffic can withstand wide fluc¬ 
tuations in latency, congestion, and packet 
loss and recovery; storage traffic can't. Con¬ 
sequently, the Ethernet network between 
the iSCSI gateway and the complex of iSCSI 
initiators it's serving should be a dedicated IP 
SAN, as Figure 5 shows. 

Designing a dedicated IP SAN from the 
start takes advantage of more low-cost per- 
server connection and use of commodity 
Gigabit Ethernet switches, and it allows you to 
scale the IP SAN over time to accommodate 
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additional servers 
without significantly 
impacting (or being 
impacted by) the cor¬ 
porate LAN. 

iSCSI is now a 
mature storage tech¬ 
nology and is being 
deployed for small 
departmental opera¬ 
tions as well as data 
center applications. 

Today, Fibre Channel 
is still the transport of 
choice for many data 
centers with high 
bandwidth and high 
availability require¬ 
ments. Combining 

iSCSI and Fibre Channel SAN technologies 
helps administrators bring all server assets into 
a common storage infrastructure and provide 
best practices handling of all corporate data. 
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Select a target and click Log On to access the storage devices for that 
target. Click details to see information about the sessions, connections and 
devices for that target. 


Targets: 


Target name: 


P Automatically restore this connection when the system boots 
P Enable multi-path 

Only select this option if iSCSI multi-path software is already installed 
on your computer. 




Figure 4: Logging on to a proxied iSCSI target 
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HREQUIREDREADINGI Feature 


Designing Active Directory for 
Exchange Server 2007 


Follow these guidelines for best Exchange performance 


E very version of Microsoft Exchange Server since 
Exchange 2000 Server has been dependent on 
Active Directory (AD). What many new Exchange 
administrators might not realize is that even though AD 
acts primarily as a repository for user and topology infor¬ 
mation, your AD design can make or break an Exchange 
organization's performance. It does little good to have high- 
performance Exchange servers if your domain controllers 
(DCs) can't keep pace with Exchange-related LDAP que¬ 
ries. Exchange Server 2007 has different requirements for 
AD design than Exchange Server 2003, so let's take a look 
at some of the things you need to consider before deploying 
Exchange 2007. 


Domain Controllers 

Exchange 2007 has specific requirements for your organiza¬ 
tion's DCs. The first requirement for DCs in Exchange 2007 
environments is that the schema master and all the Global 
Catalog (GC) servers within the forest where Exchange 2007 
will be installed must be running Windows Server 2003 SP1 
or later. Because Windows Server 2003 SP2 is available, this 
requirement probably isn't a problem for most organiza¬ 
tions, but it must be met. 

The second requirement is that all domains within the 
forest must have a functional level of Windows 2000 native 
or higher. You can check a domain's functional level by 
opening the Microsoft Management Console (MMC) Active 
Directory Users and Computers snap-in and right clicking 
the domain you want to check in the console tree. Select 
Raise Domain Functional Level from the shortcut menu, 
and you'll see a dialog box similar to the one Figure 1, page 
58, shows. 

The domain shown in Figure 1 is already running at 
the Windows Server 2003 functional level, which works 
fine because it's a higher functional level than the required 
Windows 2000. Had this domain been running at a lower 
functional level, the dialog box would include an option to 
raise the domain to a higher level. Raising the functional 
level of a domain is a one-way operation: Once the level has 
been raised, there's no going back. 

The domain functional level affects which servers can 
act as DCs in the domain. For example, if the domain 

www.windowsitpro.com 


functional level is set to Windows 2003, then all DCs in the 
domain must be running Windows 2003 or Windows Server 
2008 (formerly code-named Longhorn). You can't have DCs 
running Windows 2000 or Windows NT Server in a domain 
with a Windows 2003 functional level. Windows 2000 DCs 
can participate in domains with a functional level of Win¬ 
dows 2000 or higher. 

The third requirement for DCs in Exchange 2007 orga¬ 
nizations is that any site that will contain an Exchange 
server running the Mailbox, Hub Transport, or Client 
Access server role (or any combination of these roles) must 
contain at least one GC server. Although any DC can eas¬ 
ily be designated to act as a GC server, Exchange 2007 has 
some important guidelines regarding GC server placement, 
which I'll discuss more in the next section. 

One last recommendation regarding DCs is that, if 
possible, your DCs should be running a 64-bit Windows 
OS. Assuming that the server is equipped with a sufficient 
amount of memory, 64-bit versions of Windows will usually 
let DCs handle a heavier load. 

I also want to mention that Exchange 2007 shouldn't be 
installed on a DC. People argue this point with me all the 
time. The rationale behind their arguments is usually that 
Small Business Server (SBS) is designed to let Exchange 
reside on a DC, so it must be OK for other Exchange deploy¬ 
ments as well. But keep in mind that SBS is intended for 
organizations that have only a couple dozen users at most. 
Typically, these organizations lack the budget or the exper¬ 
tise to support full Exchange deployments. Because they 
don't have many users, their servers don't usually have to 
bear the heavy workloads commonly associated with DCs 
and Exchange servers in larger organizations. 

If for some reason you must install Exchange 2007 on a 
DC, remember that the DC must be running a 64-bit ver¬ 
sion of Windows. Even though you can install Exchange on 
a DC, doing so is a bad decision. At best, running Exchange 
on a DC causes problems with memory constraints and 
long shutdown times. This type of configuration also raises 
some questions regarding security. Your Exchange server 
communicates with the outside world and is therefore an 
entry point for malware and possibly hacking. It would 
be foolish to place an AD database on a server that's 
such a common target for those with malicious intent. d 
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If the server is also hosting the Client Access 
role, then the risks are even greater because 
you're letting the outside world access the 
server using a Web browser. 


Global Catalog Servers 

Microsoft has changed its recommendations 
for GC server placement quite a few times 
over the life of Windows 2003 and Exchange 
2003. To the best of my knowledge, Microsoft's 
most recent recommendation for GC server 
placement in an Exchange 2003 environment 
was to use a 4 to 1 ratio of Exchange server 
cores to GC server cores. This doesn't mean 
there should be one GC server for every four 
Exchange servers (although I believe that was 
Microsoft's recommendation at one point). 
Instead, this ratio is based on the number of 
processor cores. 

As an example, imagine you had four 
Exchange servers, each with one single-core 
processor. One GC server with a single-core pro¬ 
cessor could support these servers. Of course, 
having only one GC server is a bad idea because 
this server represents a single point of failure. 

To expand on this concept, suppose you 
had four Exchange servers, each with two 
single-core processors. Collectively, the serv¬ 
ers would have eight processor cores, so you 
would need two GC server cores to support 
them. This could be one server with two single¬ 
core processors or one dual-core processor, or 
it could be two separate servers. 

Microsoft has adopted the same basic tech¬ 
nique for determining the number of GC servers 
needed to support Exchange 2007, but the ratio 
has changed to one GC server core for every 
eight Exchange 2007 cores. Of course, this is just 
a guideline. In the real world, the actual number 
of cores you'll need might vary because some 
cores are faster than others and because you 
want to avoid having a single point of failure. 

There are two important criteria that your 
GC servers must meet in order for this 8 to 
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1 ratio to be valid. First, your GC 
servers must be running a 64-bit 
Windows OS. As I'm sure you prob¬ 
ably know, 64-bit OSs can address 
a much larger amount of memory 
than 32-bit OSs. This is important 
because of the second requirement 
for an 8 to 1 core ratio: The server 
must have enough physical mem¬ 
ory installed that it can cache the 
entire AD database in RAM. You can 
find the size of your AD database by navigating 
through your GC server's hard disk to the \win- 
dows\ntds folder and looking for the Ntds.dit 
file. If your GC servers don't meet these criteria, 
you're better off using the 4 to 1 ratio that was 
used with Exchange 2003. 

AD Site Topology 

One of the more significant features of 
Exchange 2007 with regard to AD is that rout¬ 
ing groups no longer exist. Exchange 2003 lets 
you route messages by creating routing groups 
on an as-needed basis. In contrast, Exchange 
2007 is designed to let Mailbox servers connect 
directly to Hub Transport servers, which can 
connect to any other Hub Transport server. If 
a Hub Transport server is down in a site, the 
Mailbox server will use AD site topology as an 
alternative to routing groups to find the next 
closest Hub Transport server. 

With Exchange 2003, it's a common prac¬ 
tice to place Exchange servers and some 
DCs or GC servers into a dedicated site. This 
method prevents demanding applications 
from flooding GC servers or DCs with exces¬ 
sive requests and thereby reducing Exchange's 
performance. By placing these resources into 
a dedicated site alongside the Exchange serv¬ 
ers, you can effectively isolate Exchange from 
other demanding applications—and prevent 
Exchange from consuming resources required 
by your other applications—with only minimal 
effect on mail flow. Remember that Exchange 
2003 uses its own internal routing groups to 
control mail flow and that these routing groups 
work independently of AD sites. 

You could place Exchange 2007 into a 
dedicated site, but doing so could negatively 
affect mail flow, particularly in organizations 
with five or more AD sites. In complex organi¬ 
zations, it's almost impossible to get mail flow 
to perform optimally when Exchange is in a 
dedicated site without creating a management 
headache in the process. For more information 


about message routing in Exchange 2007, see 
"Exchange 2007 Transforms Message Routing," 
March 2007, InstantDoc ID 94859. 


DNS Requirements 

fust as Exchange 2007 depends on AD, AD 
depends on a properly configured DNS server. 
In previous versions of Exchange, configuring 
DNS entries was a fairly straightforward task. 
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AD Considerations for 
Exchange 2007 

If you want a smooth deployment of Microsoft Exchange Server 2007, you'll need to make 
sure your Active Directory (AD) is properly designed and implemented. Here are some things 
you'll want to check. 

®®DDQS]3[]D ©®QDfl&J®DD(Mj© The schema master and all the Global Catalog (GC) servers 
within the forest where Exchange 2007 will be installed must be running Windows Server 
2003 SP1 or later. All domains within the forest must have a functional level of Windows 2000 
native or higher. Any site that will contain an Exchange server running the Mailbox, Hub 
Transport, or Client Access server role must contain at least one GC server. If possible, your 
domain controllers (DCs) should run a 64-bit Windows OS. 

®MM\ You need to have one GC server core for every eight 

Exchange 2007 cores; your GC servers must be running a 64-bit Windows OS, and each server 
must have enough physical memory installed so that it can cache the entire AD database in 
RAM. 


IM Exchange 2007 routing is based on AD site topology. Placing 

Exchange 2007 in a dedicated site could negatively affect mail flow, particularly in organiza¬ 
tions with five or more AD sites. 


) The Mailbox, Client Access, Hub Transport, and Unified Mes¬ 
saging server roles must be domain members and must have their IP addresses registered 
with the organization's internal DNS server. The Client Access server needs to be accessible 
from outside the organization; for security, configure the firewall to use port forwarding to 
send HTTP traffic to the Client Access server. The Edge Transport server runs a hardened 
Exchange implementation and isn't a member of a domain. 

InstantDoc ID 96535 


In Exchange 2007, things work a bit differently 
than what you might be used to. 

As you probably know, each Exchange 
2007 server can be assigned one or more of 
five available roles: Mailbox, Client Access, 
Hub Transport, Edge Transport, and Unified 
Messaging (UM). Servers running the Mailbox, 
Client Access, Hub Transport, or UM roles 
must be domain members and must therefore 
have their IP addresses registered with the 
organization's internal DNS server. 

The Client Access server is essentially just a 
Microsoft IIS server that hosts Microsoft Outlook 
Web Access (OWA). As such, users need to be 
able to access the Client Access server from 
outside the organization. Theoretically, adminis¬ 
trators could register the Client Access server's IP 
address with an external DNS server, but doing so 
would be a security risk. More often, the address 
that's registered with an external DNS server is 
the firewall's external IP address. The firewall 
can then be configured to use port forwarding 
to send HTTP traffic to the Client Access server, 
which can then service OWA clients without 
exposing the server to the outside world. 

The most significant new feature of 
Exchange 2007 from a DNS standpoint is the 
creation of the Edge Transport role, a special 


Exchange server designed to sit at the edge 
of your network and receive messages from 
the outside world. The organization's mail 
exchanger (MX) record would typically contain 
the IP address of the Edge Transport server. 
When messages arrive at the Edge Transport 
server, it performs various levels of message 
hygiene, then forwards the messages to the 
Hub Transport server. Because the Edge Trans¬ 
port server sits at the network perimeter, it's 
running a hardened Exchange implementa¬ 
tion and isn't even a member of a domain. 

Plan Ahead for 
Performance 

Exchange 2007 brings with it new features, new 
architecture, and new management meth¬ 
ods—and along with all that, new headaches 
for Exchange administrators. You can help 
alleviate some of your headaches, at least, 
by designing your AD with Exchange 2007 in 
mind. A carefully implemented AD is one way 
to ensure good performance of your servers. 
Check out the sidebar, 'AD Considerations 
for Exchange 2007," for a checklist of things to 
remember in your design. ^ 
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Outlook and 
SharePoint: 
Playing Well 
Together 

Putting a new 
interface on 
SharePoint 

by Devin L. Ganger 


M icrosoft Outlook has long been the 
center of Microsoft's collabora¬ 
tive user experience. Information 
workers rely on integrated messaging and 
calendaring to help manage their daily tasks. 
The result is that most users open Outlook first 
thing in the morning and shut it down only at 
the end of the day. 

Although email is great for applications 
such as integrated calendars and scheduling, 
it's not as good for uses like document and con¬ 
tent management. Your Microsoft Exchange 
Server administrators have a long list of reasons 
why sending large attachments through email 
isn't the best way to share documents. How¬ 
ever, few of them offer reasonable alternatives 
that have low impact on your users' habits, and 
changing users' work habits, especially when 
those changes reduce convenience, is difficult. 
Enter Microsoft Windows SharePoint Services 
(WSS). 

SharePoint was designed as a collaboration 
platform and therefore is a better medium for 
sharing content than any messaging system. 
However, one of its main flaws—and the big¬ 
gest obstacle to getting organizations to deploy 
SharePoint—is its Web-based interface. Users 
don't want to learn yet another interface for 
managing their documents. It's inconvenient 
to pull up a Web browser and navigate to a 
specific site just to upload or download a file, 
when they can simply use Outlook and attach 
the file to a message. However, what if they 
could use that same familiar Outlook interface 
to access content in SharePoint? Read on and 
let me show you how to do it. 

Using the Right Versions 

The first requirement for using Outlook and 
SharePoint together is to ensure that you have 
the right versions. Microsoft offers the follow¬ 
ing main flavors of SharePoint products: 

• WSS 3.0 is the most recent core SharePoint 
offering. It's built on ASP.NET 2.0 and free 
for download and deployment on Windows 
Server 2003. 


• Microsoft Office SharePoint Server (MOSS) 
2007 builds on WSS 3.0 and is the most 
recent enterprise-grade SharePoint product. 
It's suitable for large enterprises or external¬ 
facing deployments. 

• WSS 2.0 is the previous SharePoint offering 
and is built on ASP.NET 1.1. It's still available 
as a free download for Windows 2003 and is 
included in Windows 2003 R2. 

• SharePoint Portal Server (SPS) 2.0 is the pre¬ 
vious enterprise-grade SharePoint product; 
it builds on WSS 2.0. 

There are a few other variants of SharePoint, 
but they're built on one of these four products. 
The differences are negligible from an Outlook 
user's point of view. 


Learning Path 


WINDOWS IT PRO RESOURCES: 

Learn about SharePoint: 

“SharePoint Server 2007 Revealed,” InstantDoc ID 
94914 

“Windows SharePoint Services 3.0 Out of the Box,” 
InstantDoc ID 94240 

Learn about Outlook contacts: 

“More About Outlook and SharePoint Contacts,” 
InstantDoc ID 93898 

Learn about using SharePoint and Outlook 
together: 

“SharePoint Integration with Outlook 2007, Part I,” 
InstantDoc ID 95919 

“SharePoint Integration with Outlook 2007, Part 2,” 
InstantDoc ID 96154 

“SharePoint Integration with Outlook 2007, Part 3,” 
InstantDoc ID 96384 

MICROSOFT RESOURCES: 

“Office SharePoint Server 2007” 

http://go.microsoft.com/fwlink/?Linkld=84739 

“Microsoft Outlook 2003 Integration with SharePoint 
Products and Technologies” 

http://www.microsoft.com/technet/ 
windowsserver/sharepoint/v2/reskit/ 
c406!88lx.mspx 
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At a minimum, you need WSS 2.0 and Out¬ 
look 2003 to get the benefits of integration. To 
get the best experience, you'll want WSS 3.0 and 
Outlook 2007. You don't have to use MOSS 2007 
or SPS 2.0; both WSS 2.0 and WSS 3.0 will do the 
job. 

You don't need a specific version of Exchange 
Server (or even use Exchange Server) to get Out¬ 
look and SharePoint working together. Outlook 
doesn't use typical messaging protocols such 
as Messaging API (MAPI) or SMTP to integrate 
with SharePoint. SharePoint alerts are the one 
exception to this rule: Alerts are email messages 
generated by SharePoint, so you need a working 
SMTP infrastructure. 

Depending on which versions of software 
you have in your environment, you might not 
see the full benefits of integration. Table 1 shows 
the interaction capabilities between different 
SharePoint and Outlook versions. WSS 2.0 and 
Outlook 2003 offer a degree of integration, but 
most of it is one-way integration; Outlook pulls 
the data from SharePoint, but any changes 
made in Outlook aren't pushed back. Instead, 
you must use your browser to update the 
resource in SharePoint; the updated content is 
then replicated back to Outlook. Although this 
isn't ideal for many scenarios, it's good enough 
for many teams and projects and gives users 
the benefits of having ad hoc or team-based 
repositories that they can view from Outlook. 

Note that if you use Exchange 2007 Outlook 
Web Access (OWA), your access to Share- 
Point data gets even better. You can config¬ 
ure Exchange 2007 OWA to proxy requests to 
specified internal SharePoint servers, allowing 
authorized users to reach content in SharePoint 
repositories by clicking embedded links in 
their messages, even when they're outside your 
firewall. Unfortunately, this isn't true if you're 
using Outlook. Although the Outlook Anywhere 
feature in Exchange 2007 lets you connect 
to Exchange from any Internet connection, 


it isn't a generic HTTP Secure 
(HTTPS) proxy. If you're outside 
your firewall and need Outlook 
to access SharePoint data, either 
your SharePoint servers must be 
published externally or you need 
some other solution such as a 
VPN connection. 


Table 1: 

Interaction Between SharePoint 
and Outlook Versions 

SharePoint version 

Outlook 2003 

Outlook 2007 

WSS 2.0 

Read-only 

Read-only 

SPS 2.0 

Read-only 

Read-only 

WSS 3.0 

Read-only 

Two-way 

MOSS 2007 

Read-only 

Two-way 


SharePoint Content Available 
Within Outlook 

The first thing you need to understand when 
using Outlook and SharePoint together is how 
SharePoint stores content. Although the Share- 
Point interface uses Web pages and sites, most 
SharePoint content is in the form of lists—cal¬ 
endar events, contacts, documents, and the like. 
The SharePoint interface is designed to help the 
user get to those all-important lists. Starting with 
WSS 2.0 and Office 2003, Microsoft provided 
integration points to allow Office applications 
such as Outlook to consume list content from 
SharePoint without the HTML wrapper. Figure 
1 shows a typical SharePoint document list seen 
from the Web browser; Figure 2 shows the same 
document list accessed from Outlook. 

Let's take a closer look at the types of Share- 
Point content you can consume in Outlook, as 
well as look at why you'd want to use SharePoint 
instead of Exchange or some other messaging 
system: 

Document workspaces. Document work¬ 
spaces are repositories for sharing documents. 
SharePoint offers several desirable document 
workspace features such as versioning and doc¬ 
ument check-in and check-out. Although many 
people use Outlook and Exchange public folders 
for ad hoc document management, public fold¬ 
ers don't have the same features as SharePoint. 
Don't underestimate the productivity boost of 
knowing that you always have the most recent 
version of a given document at your fingertips. 
Outlook users can create shared attachments, 


Figure 1: 

Browser 
view of 
MOSS 
2007 
document 
library 
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which are stored in a dynamically created Share- 
Point document workspace as well as being sent 
as a conventional attachment. 

Meeting workspaces. Meeting workspaces, 
such as the one that Web Figure 1 (http:// 
www.windowsitpro.com, InstantDoc I D 96624) 
shows, let you collect in one place all the typical 
types of content that you might find in a meet¬ 
ing. Outlook users can easily provision a meet¬ 
ing workspace while setting up the meeting 
invitation. Meeting workspaces offer features 
such as an agenda list, an associated docu¬ 
ment library, a task list, and a decision list. All 
invitees can access and update these, allowing 
any participant in the meeting to update the 
agenda or upload a relevant document without 
having to manually send the changes out to all 
participants. 

Contacts. These are records that identify 
people with whom we interact. In SharePoint, 
contacts are typically shared by project or site; 
the contacts the IT team keeps will be different 
from the contacts the HR department keeps. 
SharePoint contacts are directly analogous to 
the Contact entries in Outlook and contain 
many of the same properties, as Figure 3 shows. 
By using a contact list in SharePoint, everyone 
who has access to the list has a single place to 
update the contacts, instead of having to main¬ 
tain and swap Contact objects. You could also 
use public folders to share contacts, but then 
each recipient has to manually track the latest 
versions and update them. 

Events. Events are records that describe 
appointments, meetings, or other calendar 
data. In SharePoint, calendar data is typically 
shared by project or site, providing a convenient 
tool for groups. Outlook users are familiar with 
calendar data, so having shared calendars for 
specific projects—and having those calendars 
automatically update—is a huge win. 

Tasks. These are records that capture items 
that you're responsible for accomplishing, along 
with their due date, as Web Figure 2 shows. Both 
SharePoint and Outlook offer support for creat¬ 
ing and assigning tasks, but a SharePoint task 
list is immediately visible to all users without 
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having to manually send out and update the 
tasks. Outlook will remind you of SharePoint 
tasks that are due and show them in your cal¬ 
endar. 

RSSfeeds. These are XML files that describe 
Web-based content without formatting. They 
provide a way to subscribe to a content pro¬ 
ducer and regularly pull updates into the user's 
client of choice. Although you can modify WSS 
2.0 to provide RSS feeds, feeds are built into 
WSS 3.0 and are natively available for most 
types of lists. The ability to consume RSS feeds 
is a native feature of Microsoft Internet Explorer 
(IE) 7.0 and Outlook 2007. By leveraging this 
capability, you can consume practically any 
type of data stored in SharePoint beyond the 
types already mentioned. Figure 4, page 64, 
shows an RSS feed in Outlook. 

Synchronizing Content 

There are no special steps that you need to 
take to get Outlook talking to SharePoint; all 
the correct ActiveX controls are installed when 
you install Outlook. As you add SharePoint 
resources to Outlook, Outlook must track those 
resources. Both versions of Outlook create a 
separate PST file store on the local hard drive 
to hold the SharePoint content. Each separate 
SharePoint list is seen in Outlook as a unique 
folder within this new store. When new content 
is posted to the linked SharePoint list, Outlook 
copies it to the appropriate folder. 

This synchronization design has several 
implications that you need to be aware of. First, 
whenever you launch Outlook, it automatically 
attempts to synchronize SharePoint resources. 
This is great when you have access to the 
SharePoint server because it allows you to view 
the latest version of your SharePoint resources 
when you're offline without having to manu¬ 
ally fuss with synchronization. The downside 
is that if Outlook can't connect to your config¬ 
ured SharePoint resources, you'll see annoying 
authentication prompts and synchronization 
errors. 

Because of this synchronization design, to 
keep automatic synchronization working, you 
must keep the folders in the SharePoint store. 
You can copy items out of these folders and into 
regular folders, but if you move the linked fold¬ 
ers, Outlook will lose the link to SharePoint and 
will stop updating them. Likewise, any items 
that you copy or move from these folders won't 
be updated in their new locations. 

Finally, the SharePoint personal store is 
unique to both the Outlook profile you're using 
and the computer you're running it on; if you 


Figure 2: 
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use both a desktop and a laptop, you must add 
your SharePoint resources to both instances of 
Outlook. 

Configuring Outlook 

The process for using Outlook with SharePoint 
is simple. The following steps outline the gen¬ 
eral procedures for accessing and working with 
different types of content. 

To access a SharePoint list: 

1. Access the SharePoint list that you want 
to synchronize with Outlook. 

2. Perform one of the following actions: 

• For WSS 2.0 and SPS 2.0 Contact and 
Event lists, select the Link to Outlook 
option in the list's header. See Figure 3 
for an example of this option. 

• For most WSS 3.0 and MOSS 2007 lists, 
select the Connect with Outlook option 
under the Actions menu in the list's 
header. 

3. Let Outlook synchronize with the Share- 
Point resources automatically. 

4. Optionally, copy the SharePoint data to 
other Outlook folders as needed. 


To link an attachment in Outlook to a Share- 
Point Shared Workspace: 

1. Open the message and attach the file as 
usual. 

2. Click the Attachment Options button, 
which Web Figure 3 shows. 

3. Select the Shared attachments option. 

4. Select an existing parent site under which 
to create the new Document Workspace or 
provide the URL of another parent SharePoint 
site. 

5. Send the message. 

To link an Outlook meeting invitation with a 
SharePoint Meeting Workspace: 

1. Open the meeting invitation in Outlook. 
Enter the details and invite the attendees. 

2. Click the Meeting Workspace button and 
specify the URL of the parent SharePoint site. 

3. Perform one of the following actions: 

• To create a new workspace, leave 
the Create a new workspace option 
selected. Select the template language 
and template type from the lists. 

• To use an existing workspace, select it 
from the list. 
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4. Click OK to create the meeting invitation 
and create or link the meeting workspace. 

Pain Points 

Integration between Outlook and SharePoint 
isn't all roses. You need to keep in mind the fol¬ 
lowing limitations: 

• By default, WSS uses Integrated Windows 
Authentication, where the browser passes 
the credentials of your logged-in Windows 
account to the SharePoint server. Outlook 
can be used in a variety of situations that 
don't allow integrated authentication, so 
your users might need to enter their cre¬ 
dentials to synchronize SharePoint content 
when they first start up Outlook. 

• You must address backup and restore of your 
synchronized data because it's all kept in the 
special PST file. This store isn’t backed up 
during the server-side backup processes on 
your messaging server, so you need to include 
it in the workstation-level backup processes 
you use. (Your regular SharePoint backup 
process takes care of the server-side data, so if 
you do lose this store it's not lost forever.) You 
also need to ensure that your Outlook profile 
is backed up, which is not typically the case in 
many Exchange environments. 

• Synchronization between SharePoint and 
Outlook doesn't always happen as quickly 
as users would like. Although it's not a com¬ 
pletely random process, SharePoint synchro¬ 
nization seems to happen as a background 
task. As you're working in Outlook, it will 
work through your configured SharePoint 
resources one at a time and update them. 
When you have a large number of updates, 
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this can take a bit of time. If you're in a hurry 
and need to ensure that your SharePoint 
resources are fully updated, you can right- 
click the SharePoint store in Outlook and 
select the synchronization option. 

• As mentioned earlier, unless you're using 
Outlook 2007 and WSS 3.0 together, any 
updates you make to replicated content in 
Outlook will need to be manually uploaded 
to SharePoint. Although this means you can't 
use Outlook as a complete replacement for 
navigating SharePoint in your Web browser, 
you can use it as an alternative for day-to- 
day tasks. 

• The release version of Outlook 2007 has 
some problems with slow performance 
when the user's data store is larger than 
1GB. Because one of the reasons people 
are using Outlook and SharePoint together 
is to enable Outlook to handle the bulkier 
document types without having them clog 
up the messaging system, this problem can 
be a pain point when using Outlook and 
SharePoint together. The Microsoft article 
"You may experience performance problems 
when you are working with items in a large 
.pst file or in a large .ost file in Outlook 2007" 
( http://support.microsoft.com/kb/932086) 

describes the problem and offers a hotfix to 
resolve the problem. 

Other Resources 

There are numerous resources for learning 
about SharePoint and Office. Many of them give 
excellent information on integrating SharePoint 
with Outlook and other Office applications. 
Here a few of the best ones: 

Formerly msd2d.com 


The Office Online Web site (http://office 
.microsoft.com) is the first place to go for Office 
guidance. It provides many useful resources for 
Office users, including handy how-to guidance 
for many tasks. 

One of your best resources for any version 
of Office is the appropriate Microsoft Office 
Resource Kit. These resource kits can be found 
online at http://www.microsoft.com/office/ 
ork and contain a wealth of guidance to help 
you mange your Office applications and find 
ways to make them work better together. 
Whether you're using WSS 3.0 or MOSS 2007 
product, most of the guidance will apply to 
both products. 

The SharePoint team maintains a blog at 
http://blogs.msdn.com/sharepoint. It provides 
a fascinating and useful "behind the scenes" 
look at the SharePoint product. Many of the 
posts focus on administering SharePoint and 
using SharePoint through the Web interface, 
but the blog is a great contact point not only 
with the SharePoint product team, but with the 
regular crowd of SharePoint enthusiasts who 
participate through the comments. 

Better Together 

WSS is Microsoft's preferred collaboration plat¬ 
form for sharing and managing document 
and list content. Although it's grown steadily 
more useful with every version, offering greater 
degrees of interaction with the applications in 
the Office suite, many users and administra¬ 
tors fail to take full advantage of its true power 
because they find a Web-based interface to be 
too cumbersome or disruptive. 

Outlook is a popular productivity applica¬ 
tion that helps users manage not just messaging 
data, but calendar and contact information as 
well. With the integration points provided by 
Microsoft, you can use SharePoint and Outlook 
together to fully leverage the strengths of each 
product. This kind of interaction can overcome 
some of the limitations of using the messaging 
infrastructure (such as Exchange Server) as a 
document dissemination and management 
medium, while still giving users a central inter¬ 
face for their daily information worker tasks. ^ 
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Tricks & Traps - Ask the Experts 


Q: I mistakenly deleted a user 
account and only that account has 
access to certain resources? Can I 
change another account's SID to the 
SID of the deleted account? 

A: When an object (e.g., a user 
account) is created, the OS gives it an 
SID, which is stored in the objectSid 
attribute of the object. If you try to 
modify the attribute, even when run¬ 
ning in the local system context, you 
receive the error message that Figure 
1 shows. 

Essentially, the SID is owned by 
the system, and a user can't change it 
to a particular value. The ability to do 
so would create a security vulnerabil¬ 
ity because changing the SID on an 
object could give it access rights that 
it shouldn't have. 

If you have a system state backup, 
you can perform an authoritative 
restore of the deleted object, and the 
restored object will have its original 
SID. (For more information about 
authoritative restores, see the Web- 
exclusive article "How can I perform 
an authoritative restoration of Active 
Directory (AD) in Windows Server 
2003?" December 2003, InstantDoc 
I D 41170. 

If no system state backup is avail¬ 
able, and if the resource that you're 
trying to obtain access to is a file, an 
Administrator can take ownership of 
the file then set whatever permissions 
are needed. If the item is an AD object 
or a service that uses AD, the Admin¬ 
istrator can use the ADSIedit tool 
(which is part of the Windows 2000 
and later support tools) to take owner¬ 
ship, then set access permissions. 

If you deleted the account within 
the last 60 days, it's not actually gone 
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from AD. Deleted 
objects are marked 
with a tombstone 
prior to removal 
from the directory 
to allow replica¬ 
tion of their deleted 
state throughout the 
enterprise. The Sys- 
internals Adrestore 
utility, which you 
can download 
at http://www 
.sysinternals.com, 
will restore the 
tombstoned objects. 

InstantDoc I D 96281 
—John Savill 


When I try to run the netmonsetup.exe file that I 
copied from the Microsoft Systems Management 
Server (SMS) CD-ROM, it fails, 
saying the license can’t be found. 

What’s the problem? 


A: 



If you copied the NETM0N\i386 
folder from the CD-ROM to a local 
folder, you also need to create a SMSSetup folder 
at the same level as the NETM0N folder and copy 
the license.txt from SMSSetup into it. The 
installation will then run correctly. 

InstantDoc ID 96283 

—John Savill 


Q: How can I block the automatic 

Q: How do I enable Network Monitor installation of Windows Server 2003 
(Netmon) in Windows Server 2003? SP2? 


John Savill 

(isavill@windowsitpro.com) 


A: Netmon is part of Windows 2003. 
To install the tool, perform these 
steps: 

1. Start the Add/Remove Pro¬ 
grams Control Panel applet (Start, 
Settings, Control Panel, Add/Remove 
Programs). 

2. Click the Add/Remove Win¬ 
dows Components button. 

3. Select "Management and 
Monitoring Tools" and click Details. 

4. Select "Network Monitor Tools" 
and click OK. 

5. Click Next to proceed with 
installation. Click Finish, then click 
Close to exit. 

The version of Netmon with Windows 
2003 monitors only traffic sent to or 
from the server. The Microsoft Systems 
Management Server (SMS) version 
monitors all packets on the network. 

InstantDoc I D 96282 
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A: Microsoft has released a 
blocker tool, which you can 
download at http://www 
.microsoft.com/downloads/ 
details.aspx?FamilyId=FC 145B0B- 
C148-445A-82BA-9B2F3AEF6E60 
&displaylang-en . The toolkit con¬ 
tains an executable file, a script, 
and an .adm template for Group 
Policy deployment. Each mechanism 
performs the same modification, 
which is to create a registry key 
(HKEY_LOCAL_MACHINE\ 
SOFTWARE\Policies\Microsoft\ 
windows\WindowsUpdate) and 
add a DWORD value DoNotAllowSP 
that's set to 1. Without this key pres¬ 
ent, the service pack will be delivered 
automatically starting fune 12, 2007. 
This key will take effect until March 
13, 2008, at which point the service 
pack will be applied regardless of the 
registry key's presence. ^ 
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The Power of For 

It’s the ultimate Windows power tool 


O ver the past couple months, I've been discussing 
Chml, a tool I wrote to manipulate a new Win¬ 
dows Vista feature called integrity levels. When I 
created the tool, unfortunately, I never got around to build¬ 
ing in support for wildcards. So, I was a bit frustrated when 
I recently needed to raise the integrity level of all files with 
names starting with "s" to the High integrity level. Ideally, 
I could just type 

chml s* —i:h 

to get the job done. Then, I realized I didn't need to build 
in wildcard support, because a very old and powerful 
Windows utility—the For command—could provide that 
functionality it for me. 

What For Is For 

For is the ultimate Windows power tool. Essentially, For's 
job is to automatically select a set of files or folders based 
on a criterion that you specify, then to execute a given 
command repeatedly—once for each file. For's syntax 
looks like 

for %<variablename> in (<fiLenamef i Lter>) do <command> 

where fllenamefllter tells For which files to select, and com¬ 
mand tells For which command to run. In my example, I 
want to specify a filename filter of (s*), which specifies all 
files (and folders) whose names start with the letter "s." So, 
I would type 

for %a in (s*) do chml %a —i:h 

In this command, For does the wildcard processing for me 
by looking in the current folder, seeking out the files whose 
names start with “s,” invoking Chml once for each of those 
files, then returning to the folder to search for any more 
matching files. Running this For statement is the exact 
equivalent of an administrator first figuring out which files 
have names starting with “s,” then typing a Chml statement 
for that file—except, of course, that it's a lot easier to let For 
do the work. 

The command I originally wanted to run looked like 

chml <fill in the filename> -i:h. 

The variablename variable accomplishes the fill in the file¬ 
name part of that command. As For works its way through 


the sequence of files that match the filename filter, it needs 
a place to hold the file. That's what %a is doing in my origi¬ 
nal example—%a is what Windows refers to a replaceable 
parameter or variable. It's a place in memory where the For 
command, after it finds a matching file, can insert that value 
into the command, replacing %a with the filename. 

Thus, if my current directory contains three files—sit 

.txt, hi.exe, and salt 
.dat—For would first 
find the sittxt file and 
place it into the %a 
variable. For would 
then progress to the 
command 

chml %a -i:h 

and substitute sittxt 
for %a, resulting in a 
command of 

chml sit.txt -i:h 

which is the exact 
text of the command that For would then execute. After 
executing that command, For would find a match in saltdat 
(remember that hi.exe wouldn't match the V" pattern) and 
again build a Chml command, this time executing 

chml salt.dat -i:h 

For would then find no more matches and would stop. 

This most basic of For's formulations will cause For to 
find file matches in the current folder. You can extend that 
behavior in two ways. First, adding the /r switch after the 
For command causes For to search not just the current 
folder but also any subfolders (and sub-subfolders, and so 
on) in that folder. For example, 

for /r %a in (s*) do chml %a -i:h 


Watch for More For 

For is one of those little unsung Windows heroes, and even 
some long-time Windows power users might not be aware 
of it. I've only scratched the surface of its power, so join me 
next month for more For. ^ 
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Top 10 


Questions About Server Core 

Learn what it is and how you work with it 


O ne of the biggest features to look forward to with 
the release of Windows Server 2008 (formerly 
code-named Longhorn) is a new version of Win¬ 
dows called Server Core, developed in response to custom¬ 
ers asking for Linux-like headless operation. You might be 
wondering what Server Core is and what it can do for you, 
so here are answers to some of the most frequently asked 
Server Core questions. 


What is Server Core? Server Core is a 
stripped-down version of Windows 2008 
that provides essential network infrastruc¬ 
ture capabilities but does away with all 
nonessential graphical functions such as the Windows shell, 
Microsoft Internet Explorer, Microsoft Outlook Express, and 
the .NET CLR. 


9 Is Server Core licensed the same as Windows 
2008? Yes. Although Server Core has a smaller 
feature set than the full version of Windows 2008, 
Microsoft offers Server Core as an installation 
option. Therefore, the Standard, Enterprise, and Datacenter 
editions of Server Core have the same licensing as their 
respective versions of Windows 2008. 

8 How do I install Server Core? During the Win¬ 
dows 2008 installation process, you'll be prompted 
to install either the full version of Windows 2008 or 
Server Core. For example, if you're installing Win¬ 
dows 2008 Enterprise Edition, you'd select Windows Server 
2008 SERVERENTERPRISECORE to install Server Core. 


7 Can I upgrade from Windows Server 2003 to 
Server Core? No, all installations of Server Core 
must be clean installs. Because Server Core is an 
all-new version of the Windows Server OS, there 
isn't an upgrade path from any existing versions of Win¬ 
dows Server. However, Windows 2008 R2 should include an 
upgrade path from Server Core to Server Core R2. 

6 How do I manage Server Core? Your primary 
tool for managing a Server Core installation is the 
command line. Server Core uses a very minimal 
shell that contains only a blue background and 
a command window. Note that you need to be familiar 
with the Windows shell commands to manage Server Core 
locally. If you prefer to use graphical tools, you can man¬ 
age Server Core remotely using Microsoft Management 
Console from another Windows Server system. 


5 If Server Core isn't graphical, how do I perform 
the initial system setup? Windows 2008 displays 
an Initial Configuration Wizard following the 
setup that lets you configure several essential 
system settings. Server Core, because it isn't graphical, 
doesn't include the wizard. However, Microsoft provides 
a Windows Script Host script named scregeditwsf in the 
c:\windows\system32 directory that you can use to perform 
most of the initial system configuration tasks. 



4 Can Server Core run applications? Yes, Server 
Core can run applications and services. However, 
Server Core includes only very basic graphi¬ 
cal capabilities, so programs that depend on 
advanced graphics, such as Microsoft .NET Framework 
applications, won't run. Most system services and batch 
files work fine. 

3 Can Server Core run Windows PowerShell? No, 
because Server Core doesn't support the .NET 
Framework, which is a prerequisite for Power- 
Shell. You can't run any applications that depend 
on the .NET Framework on Server Core. This includes 
Microsoft IIS 7.0 ASP.NET applications, Microsoft SQL 
Server 2005, and Microsoft Exchange Server 2007. 


Michael Otey 

(mikeo@windowsitpro 
.com) is technical director 
for Windows IT Pro and 
SQL Server Magazine and 
coauthor of SQL Server 
2005 Developer’s Guide 
(Osborne/McGraw-Hill). 


2 How do you view and change Server Core 
roles? Because Server Core doesn't have a GUI, 
you can't use Server Manager to add or remove 
roles and features from a Server Core installation. 
Instead, Microsoft provides two new command-line tools 
that are found only in Sever Core: Oclist, which lists all the 
available Server Core roles and shows their current status, 
and Ocsetup, which is used to add and remove roles from 
Server Core. 




Is Server Core compatible with the 
new Windows Server Virtualiza¬ 
tion? Yes. In fact, combining Server 
Core with Windows Server Virtual¬ 
ization is one of its best uses. You can 
install Server Core in the managing or 
parent partition of a Windows Server 
Virtualization system to create a bare-metal-style vir¬ 
tualization platform. Then, guest OSs can be installed 
in the child partitions. ^ 
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At a Glance 


Brisworks Admin Arsenal . . . . 

.73 

Visual Click Software’s 

DSRAZOR. 

.74 

ForeScout Technologies’ 
CounterACT. 

.77 



Simplify Systems Management 

Brisworks Admin Arsenal 


I n a recent conversation about network monitoring software, a friend suggested 
that I give Admin Arsenal from Brisworks a try. After being impressed by the 
demo, I purchased the product for $250 and downloaded it from the Brisworks 
Web site. 

I initially used the software to monitor workstations and event logs, but fve since 
begun using it to oversee my servers. Beyond network and system monitoring, my 
biggest use of the product has been for software distribution. Admin Arsenal creates 
software distributions easily, and it's very fast. When I needed to perform a quick 
software distribution, it completed the task swifdy and without any problems. 

Admin Arsenal is also useful for running overnight system tests and tracking 
down system and network problems. Thanks to the 
speed and efficiency of the software distribution and 
reporting features, fve saved almost an entire work¬ 
day every week—it really is that fast and efficient. 

fve worked with IBM Tivoli and Microsoft Systems Management Server, and both 
are very powerful systems. They're also extremely expensive and unintuitive. For soft¬ 
ware distribution, I much prefer Admin Arsenal. 

The one and only complaint I have about Admin Arsenal is that it doesn't look 
at any devices that exist outside of Active Directory. We have some Linux boxes and 
Macintosh computers on our network, but Admin Arsenal doesn't support them. 



Reader: 

L’aura Bradford 
Network manager 

Product: 

Admin Arsenal 
Company: 
Brisworks 
Contact: 
http://www.brisworks 


.com 


What’s Hot continues on page 74 


sesf buy wanted: Your Real-World Experiences with Products 

Have you discovered a great product that saves you time and money? Do you use something you wouldn’t wish 
on anyone? Tell the world in a review right here in What’s Hot: Readers Review Hot Products. If we publish your 
opinion, we’ll send you a Best Buy gift card! Send information about a product you use and whether it helps you or 
hinders you to whatshot@windowsitpro.com. 



www.windowsitpro.com 


We’re in IT with You 


Windows IT Pro 


SEPTEMBER 2007 73 






























































What’s Hot 


Remote Network Security and Administration 

Visual Click Software’s DSRAZOR 


Reader: 

Gary Serencsa 
Network administrator 

Product: 

DSRAZOR for Windows 

Company: 

Visual Click Software 

Contact: 

http://www.visualclick.com 


T here are almost two 
dozen schools in our 
school district, and we 
needed to allow an employee 
at each school to change stu¬ 
dents' computer passwords 
without having to contact our 
main office. We have more 
than 16,000 students in our 
district, and having to manage 
every user account onsite was 
becoming a significant challenge. 

I heard about Visual Click Software's DSRAZOR for Windows 
while searching for a utility that would help us with user management. 
DSRAZOR had received some great reviews, so I decided to give it a try. 
The software was easy to install, and we were pleased with how the sup¬ 
port staff helped us learn how to use the application. DSRAZOR ships 
with preloaded user account functions that let you become productive 
immediately. 


"What used to tahe us weelcs to accomplish 
we are now able to do in a few days.” 

—Gary Serencsa, network administrator 

The features that appeal to me the most are the bulk user creation func¬ 
tion and the ability to delegate specific permissions to other users so 
that they can create user accounts and change passwords. It's also easy 
to set up customized forms for delegation, and the product integrates 
well with Active Directory (AD)—you don't need to change anything in 
AD for DSRAZOR to work. 

This product has saved the district many hours of work. What used 
to take us weeks to accomplish we are now able to do in a few days. We 
are no longer burdened by doing simple tasks such as creating user 
accounts or changing passwords. Although it would be nice if DSRAZOR 
offered more user-specific customization options, I would definitely 
recommend it to anyone who needs to simplify account management. 
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When It comes to disaster, it's not IF, but WHEN. 
And too often, it’s when you least expect it. 
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servers up, data available and prevent downtime. Failure to 
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(virtual) Windows Servers — safely and securely. 
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continuity. Three levels of data 
compression allow more data to 
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mind your data is safe and your job 
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What’s Hot 


Proactively Protect Your Network from Threats 

ForeScout Technologies’ CounterACT 


Reader: 

Al Wendt 
Network manager 

Product: 

CounterACT 

Company: 

ForeScout Technologies 

Contact: 

http://www.forescout.com 


W hen a consultant 
brought a laptop 
infected with the 
Code Red worm into our office 
a few years ago, the worm shut 
down the office for almost two 
days, and we learned the hard 
way that we needed a solution 
to prevent such attacks. We 
needed to control who could 
log on to our network and the 

capabilities those users had. We wanted a product that didn't rely only 
on signatures, and it had to be easy to manage. 

After looking at several Network Access Control (NAC) solutions, we 
implemented ForeScout Technologies' CounterACT, a NAC and intru¬ 
sion-prevention solution. CounterACT has a clientless approach, uses 
behavior detection, and is easy to manage. It also includes a pretty good 
vulnerability assessment tool, so one solution gives us three products: 
malware detection, NAC, and vulnerability assessment. CounterACT 
has come in handy on several occasions. For example, when a user 


"The market is still 
playing catch-up to 
CounterACT’ 

—Al Wendt, network, manager 


opened a worm-infected email attachment, CounterACT immediately 
caught the problem and blocked the user from sending any messages. 
CounterACT also alerted us when an employee was using peer-to- 
peer applications against company policy so we could remove the 
programs. 

We bought CounterACT a few years ago, and since then the market 
has changed considerably. In my view, however, the market is still play¬ 
ing catch-up to CounterACT W 
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Ctrl+Alt+Del BY JASON BOVBERG 


SEND US YOUR INDUSTRY HUMOR! Email your funny screenshots, favorite end-user moments, and humorous IT-related pics to 
rumors@windowsitpro.com. If we use your submission, you’ll receive a Ctrl+Alt+Del coffee mug. 



A profound understanding of security 

» 

^ Silly me 


Password Error 


Password can have at most 0 characters. 


Windows Media Player 



Vour system is set to DVD region 1. To play this DVD, set your system to region 1. 


OK 


Printer Name Er 
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« 

One of 

Windows 

Vista’s 

many 

benefits is 

radically 

improved 


A 


•Aui 


OK 


] 


I think we’re 
all familiar 
with this 
ubiquitous 
. „ ... error 

battery life message 





by Scott Adams 


SEND US YOUR 
END-USER STORIES 


Ever have one of those days 
when users unintentionally 
tickle your funny bone? 

Ever NOT have 
one of those days? 


We’ve published several hilarious 
end-user moments in this space over 
the past year, and we want to hear 
some more! In 150 words or fewer, 
send your greatest, funniest, most 
embarrassing user 
experience to rumors@ 
windowsitpro.com, 
and we might just 
publish it on^ 
this page. 




UObJ. 

BUZZ 

KILL. 


I GOT 
PROMOTED 
TO LEAD 
ENGINEER. 


RIGHT 
BACK 
AT YOU. 


ME 

TOO. 


IF YOU THINK 
ABOUT IT, ALL 
MOTIVATION 
IS TEMPORARY, 
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NOT ALL CRYSTAL BALLS 

ARE ROUND. 


What if you knew when your system was going to crash and had the 
know-how to help prevent it? Well, by no feat of magic, that technology 
is here. And it’s found on IBM System x3655 Express with Predictive 
Failure Analysis® 2 By monitoring the system, your servers can remain 
highly reliable and run at optimal performance. If the system starts 
working otherwise, Predictive Failure Analysis can alert your systems 
administrator - giving them up to 2 days of lead time to take decisive 
action and help prevent problems? IBM System x3655 Express. From 
the people and Business Partners of IBM. Innovation made easy. 


MISSION-CRITICAL AVAILABILITY AND PERFORMANCE 
IN AN AFFORDABLE PACKAGE 


IBM System x3655 Express 

from d;Q1QO* 

<[> J I OR Sj^MONTH FOR LkJ MON 'MS' 


Up to two AMD Dual-Core Opteron™ 2218 (2.6GHz) processors featuring PowerNow!™ 
power-saving technology 

2GB DDR II 667MHz memory standard, up to 64GB DDR II 667MHz memory via 16 
DIMM slots 

IBM Director and Predictive Failure Analysis monitor and help identify problems on 
processors, memory, hard disk drives, voltage regulator modules, and power supplies 
Up to 1.8TB hot-swap SAS or 3.0TB hot-swap SATA 
Limited warranty: 3 years on-site 3 



IBM SYSTEM x3105 EXPRESS 

AMD Opteron™ or AMD Athlon™ processor featuring AMD Direct Connect Architecture 
Up to 8GB DDR II 667MHz maximum memory using 4 DIMM slots _ 

80GB or 160GB internal storage standard _ 

1.0TB SATA internal storage maximum _ 

Limited warranty: 1 year on-site 3 



FROM $529 

OR $14/MONTH 
FOR 36 MONTHS 1 


AMD^I 

COMPLIMENTARY SYSTEMS 

ADVISOR TOOL 

Want to find the right server or storage system for you? Our 
Systems Advisor tool can help. Just give the tool a little input, 
and it will identify products that can help meet your business 
needs. Get started now at ibm.com/systems/crystalball \ 

11 111 j|i' 1 

zr a 


Opteron 

I ibm.com/systems/crystalball 

I 1 866-872-3902 (mention 6N7AH32A) 


*AII prices are IBM’s estimated retail selling prices as of June 14,2007. Prices may vary according to configuration. Resellers set their own prices, so reseller prices to end users may vary. Products are subject to availability. This document was 
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Next time, have the 

compliance reports ready 




% ENTERPRISE 
SECURITY REPORTER 

ScriptLogic's Enterprise Security Reporter™ is a 
comprehensive discovery and reporting solution for 
analyzing security settings on Windows servers and 
Active Directory: 

Agentless, fast discovery engine 

Over 140 built-in reports 

Powerful custom reporting Wizard 

Preconfigured reports for SOX and HIPAA 

Applicable to many other compliance standards 


Download a 30-day 
evaluation today 
and get this Windows 
Security eBook free! 


www.scriptlogic.com/notadunce 
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